Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 34.166818] netlink: 4 bytes leftover after parsing attributes in process `syz-executor475'. executing program executing program [ 34.240542] netlink: 4 bytes leftover after parsing attributes in process `syz-executor475'. [ 34.298965] netlink: 4 bytes leftover after parsing attributes in process `syz-executor475'. executing program [ 34.359034] netlink: 4 bytes leftover after parsing attributes in process `syz-executor475'. executing program [ 34.400878] netlink: 4 bytes leftover after parsing attributes in process `syz-executor475'. executing program [ 34.448811] netlink: 4 bytes leftover after parsing attributes in process `syz-executor475'. executing program [ 34.498847] netlink: 4 bytes leftover after parsing attributes in process `syz-executor475'. executing program [ 34.549266] netlink: 4 bytes leftover after parsing attributes in process `syz-executor475'. executing program [ 34.599370] netlink: 4 bytes leftover after parsing attributes in process `syz-executor475'. executing program executing program [ 34.659084] netlink: 4 bytes leftover after parsing attributes in process `syz-executor475'. executing program executing program executing program executing program executing program executing program executing program executing program [ 34.998969] ================================================================== [ 35.006515] BUG: KASAN: use-after-free in refcount_dec_not_one+0x9a/0xc0 [ 35.013357] Read of size 4 at addr ffff8880b35250d8 by task syz-executor475/8088 [ 35.020895] [ 35.022511] CPU: 1 PID: 8088 Comm: syz-executor475 Not tainted 4.14.230-syzkaller #0 [ 35.030568] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.039923] Call Trace: [ 35.042602] dump_stack+0x1b2/0x281 [ 35.046252] print_address_description.cold+0x54/0x1d3 [ 35.051731] kasan_report_error.cold+0x8a/0x191 [ 35.056415] ? refcount_dec_not_one+0x9a/0xc0 [ 35.061272] __asan_report_load4_noabort+0x68/0x70 [ 35.066231] ? refcount_dec_not_one+0x9a/0xc0 [ 35.071621] refcount_dec_not_one+0x9a/0xc0 [ 35.076200] refcount_dec_and_mutex_lock+0x1a/0x60 [ 35.081983] nbd_genl_connect+0xf94/0x1400 [ 35.086326] ? nbd_xmit_timeout+0x500/0x500 [ 35.090669] ? validate_nla+0x192/0x5e0 [ 35.094668] genl_family_rcv_msg+0x572/0xb20 [ 35.099139] ? genl_rcv+0x40/0x40 [ 35.102769] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 35.108232] ? trace_hardirqs_on+0x10/0x10 [ 35.112473] ? sock_sendmsg+0xb5/0x100 [ 35.116368] genl_rcv_msg+0xaf/0x140 [ 35.120114] netlink_rcv_skb+0x125/0x390 [ 35.124191] ? genl_family_rcv_msg+0xb20/0xb20 [ 35.128778] ? netlink_ack+0x9a0/0x9a0 [ 35.132698] ? lock_acquire+0x170/0x3f0 [ 35.136686] genl_rcv+0x24/0x40 [ 35.140014] netlink_unicast+0x437/0x610 [ 35.144110] ? netlink_sendskb+0xd0/0xd0 [ 35.148601] ? __check_object_size+0x179/0x230 [ 35.153274] netlink_sendmsg+0x62e/0xb80 [ 35.157704] ? nlmsg_notify+0x170/0x170 [ 35.162393] ? kernel_recvmsg+0x210/0x210 [ 35.166680] ? security_socket_sendmsg+0x83/0xb0 [ 35.171442] ? nlmsg_notify+0x170/0x170 [ 35.175423] sock_sendmsg+0xb5/0x100 [ 35.179161] ___sys_sendmsg+0x6c8/0x800 [ 35.183135] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 35.188041] ? netlink_dump+0xad0/0xad0 [ 35.192314] ? nlmsg_notify+0x170/0x170 [ 35.197125] ? security_socket_recvmsg+0x8b/0xc0 [ 35.202880] ? SyS_recvfrom+0x27f/0x340 [ 35.210438] ? SyS_send+0x40/0x40 [ 35.215497] ? vm_insert_page+0x7c0/0x7c0 [ 35.221902] ? __fdget+0x167/0x1f0 [ 35.225864] ? sockfd_lookup_light+0xb2/0x160 [ 35.230817] __sys_sendmsg+0xa3/0x120 [ 35.234787] ? SyS_shutdown+0x160/0x160 [ 35.239144] ? up_read+0x17/0x30 [ 35.242623] ? __do_page_fault+0x159/0xad0 [ 35.246918] SyS_sendmsg+0x27/0x40 [ 35.250465] ? __sys_sendmsg+0x120/0x120 [ 35.254532] do_syscall_64+0x1d5/0x640 [ 35.259028] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.265141] RIP: 0033:0x440739 [ 35.269506] RSP: 002b:00007ffe6df5d2c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.278127] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 0000000000440739 [ 35.286151] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 [ 35.293956] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 35.303896] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000870f [ 35.311990] R13: 00007ffe6df5d2dc R14: 00007ffe6df5d2f0 R15: 00007ffe6df5d2e0 [ 35.319556] [ 35.321949] Allocated by task 8078: [ 35.326299] kasan_kmalloc+0xeb/0x160 [ 35.330503] kmem_cache_alloc_trace+0x131/0x3d0 [ 35.336117] nbd_dev_add+0x7c/0x800 [ 35.340583] nbd_genl_connect+0x3a4/0x1400 [ 35.345233] genl_family_rcv_msg+0x572/0xb20 [ 35.351127] genl_rcv_msg+0xaf/0x140 [ 35.355499] netlink_rcv_skb+0x125/0x390 [ 35.360426] genl_rcv+0x24/0x40 [ 35.364341] netlink_unicast+0x437/0x610 [ 35.370288] netlink_sendmsg+0x62e/0xb80 [ 35.376205] sock_sendmsg+0xb5/0x100 [ 35.380212] ___sys_sendmsg+0x6c8/0x800 [ 35.386576] __sys_sendmsg+0xa3/0x120 [ 35.392859] SyS_sendmsg+0x27/0x40 [ 35.397546] do_syscall_64+0x1d5/0x640 [ 35.407238] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.414154] [ 35.416398] Freed by task 8088: [ 35.427346] kasan_slab_free+0xc3/0x1a0 [ 35.432556] kfree+0xc9/0x250 [ 35.436149] nbd_put.part.0+0x100/0x140 [ 35.440209] nbd_config_put+0x62a/0x810 [ 35.444411] nbd_genl_connect+0xf6c/0x1400 [ 35.449034] genl_family_rcv_msg+0x572/0xb20 [ 35.453585] genl_rcv_msg+0xaf/0x140 [ 35.460507] netlink_rcv_skb+0x125/0x390 [ 35.465456] genl_rcv+0x24/0x40 [ 35.471125] netlink_unicast+0x437/0x610 [ 35.476393] netlink_sendmsg+0x62e/0xb80 [ 35.480675] sock_sendmsg+0xb5/0x100 [ 35.484664] ___sys_sendmsg+0x6c8/0x800 [ 35.488718] __sys_sendmsg+0xa3/0x120 [ 35.493034] SyS_sendmsg+0x27/0x40 [ 35.496900] do_syscall_64+0x1d5/0x640 [ 35.501956] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.508897] [ 35.510549] The buggy address belongs to the object at ffff8880b3525000 [ 35.510549] which belongs to the cache kmalloc-512 of size 512 [ 35.523613] The buggy address is located 216 bytes inside of [ 35.523613] 512-byte region [ffff8880b3525000, ffff8880b3525200) [ 35.543791] The buggy address belongs to the page: [ 35.551002] page:ffffea0002cd4940 count:1 mapcount:0 mapping:ffff8880b3525000 index:0x0 [ 35.559298] flags: 0xfff00000000100(slab) [ 35.564000] raw: 00fff00000000100 ffff8880b3525000 0000000000000000 0000000100000006 [ 35.572583] raw: ffffea0002cd22a0 ffffea0002c3d020 ffff88813fe80940 0000000000000000 [ 35.580932] page dumped because: kasan: bad access detected [ 35.586795] [ 35.588415] Memory state around the buggy address: [ 35.593955] ffff8880b3524f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.601718] ffff8880b3525000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.609204] >ffff8880b3525080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.616926] ^ [ 35.623548] ffff8880b3525100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.631664] ffff8880b3525180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.639903] ================================================================== [ 35.648058] Disabling lock debugging due to kernel taint [ 35.658591] Kernel panic - not syncing: panic_on_warn set ... [ 35.658591] [ 35.666054] CPU: 1 PID: 8088 Comm: syz-executor475 Tainted: G B 4.14.230-syzkaller #0 [ 35.675787] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.686258] Call Trace: [ 35.688949] dump_stack+0x1b2/0x281 [ 35.693203] panic+0x1f9/0x42d [ 35.696702] ? add_taint.cold+0x16/0x16 [ 35.701427] ? ___preempt_schedule+0x16/0x18 [ 35.706549] kasan_end_report+0x43/0x49 [ 35.711209] kasan_report_error.cold+0xa7/0x191 [ 35.720345] ? refcount_dec_not_one+0x9a/0xc0 [ 35.724939] __asan_report_load4_noabort+0x68/0x70 [ 35.730348] ? refcount_dec_not_one+0x9a/0xc0 [ 35.735197] refcount_dec_not_one+0x9a/0xc0 [ 35.739737] refcount_dec_and_mutex_lock+0x1a/0x60 [ 35.745063] nbd_genl_connect+0xf94/0x1400 [ 35.752881] ? nbd_xmit_timeout+0x500/0x500 [ 35.757917] ? validate_nla+0x192/0x5e0 [ 35.762632] genl_family_rcv_msg+0x572/0xb20 [ 35.768712] ? genl_rcv+0x40/0x40 [ 35.772391] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 35.782601] ? trace_hardirqs_on+0x10/0x10 [ 35.787377] ? sock_sendmsg+0xb5/0x100 [ 35.792249] genl_rcv_msg+0xaf/0x140 [ 35.796133] netlink_rcv_skb+0x125/0x390 [ 35.800191] ? genl_family_rcv_msg+0xb20/0xb20 [ 35.804957] ? netlink_ack+0x9a0/0x9a0 [ 35.809131] ? lock_acquire+0x170/0x3f0 [ 35.813229] genl_rcv+0x24/0x40 [ 35.818094] netlink_unicast+0x437/0x610 [ 35.824414] ? netlink_sendskb+0xd0/0xd0 [ 35.828461] ? __check_object_size+0x179/0x230 [ 35.833054] netlink_sendmsg+0x62e/0xb80 [ 35.837118] ? nlmsg_notify+0x170/0x170 [ 35.841085] ? kernel_recvmsg+0x210/0x210 [ 35.845670] ? security_socket_sendmsg+0x83/0xb0 [ 35.850412] ? nlmsg_notify+0x170/0x170 [ 35.854381] sock_sendmsg+0xb5/0x100 [ 35.859486] ___sys_sendmsg+0x6c8/0x800 [ 35.863463] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 35.868218] ? netlink_dump+0xad0/0xad0 [ 35.872188] ? nlmsg_notify+0x170/0x170 [ 35.876168] ? security_socket_recvmsg+0x8b/0xc0 [ 35.880922] ? SyS_recvfrom+0x27f/0x340 [ 35.884976] ? SyS_send+0x40/0x40 [ 35.888433] ? vm_insert_page+0x7c0/0x7c0 [ 35.892581] ? __fdget+0x167/0x1f0 [ 35.896122] ? sockfd_lookup_light+0xb2/0x160 [ 35.902865] __sys_sendmsg+0xa3/0x120 [ 35.907387] ? SyS_shutdown+0x160/0x160 [ 35.914073] ? up_read+0x17/0x30 [ 35.917443] ? __do_page_fault+0x159/0xad0 [ 35.921676] SyS_sendmsg+0x27/0x40 [ 35.925995] ? __sys_sendmsg+0x120/0x120 [ 35.930320] do_syscall_64+0x1d5/0x640 [ 35.935167] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.941123] RIP: 0033:0x440739 [ 35.944533] RSP: 002b:00007ffe6df5d2c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.952943] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 0000000000440739 [ 35.960656] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 [ 35.968033] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 35.975302] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000870f [ 35.982593] R13: 00007ffe6df5d2dc R14: 00007ffe6df5d2f0 R15: 00007ffe6df5d2e0 [ 35.990785] Kernel Offset: disabled [ 35.994444] Rebooting in 86400 seconds..