program: r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nbd(&(0x7f0000000240), 0xffffffffffffffff) syz_mount_image$ext4(&(0x7f0000000240)='ext4\x00', &(0x7f0000000280)='./mnt\x00', 0x0, &(0x7f00000002c0), 0x0, 0x236, &(0x7f0000000300)="$eJzs3TFoM2UcBvDnLomf/b4gVRdBUEFEtFDqJrjURaEgpYgIKlREXJRWqC1urZOLg84qnVyKuFkdpUtxUQSnqh3qImhxsDjoELlcK9VGFFNz8t3vB5fcJe97//e4e95kOS5Aa00nmU/SSTKTpJekON/grnqZPt3cntpfTgaDx38shu3q7dpZv2tJtpI8mGSvLPJiN9nYffro54NH731jvXfPe7tPTU30IE8dHx0+dvLu4usfLjyw8fmX3y8WmU//D8d1+YoRn3WL5Jb/otj/RNFtegT8E0uvfvBVlftbk9w9zH8vZeqT9+baDXu93P/OX/V964cvbp/kWIHLNxj0qt/ArQHQOmWSfopyNkm9Xpazs/V/+K87V8uXVtdemXlhdX3l+aZnKuCy9JPDRz6+8tG1P+X/u06df+D6VeX/iaWdb6r1k07TowEmqcr/zLOb90X+oXXkH9pL/qG95B/aS/6hveQf2kv+ob3kH9pL/qG95B/a63z+AYB2GVxp+g5koClNzz8AAAAAAAAAAAAAAAAAAMBF21P7y2fLpGp++nZy/HCS7qj6neHziJMbh69XfyqqZr8r6m5jeebOMXcwpvcbvvv6pm+brf/ZHc3W31xJtl5LMtftXrz+itPr79+7+W++7z03ZoExPfRks/V/3Wm2/sJB8kk1/8yNmn/K3DZ8Hz3/9KvzN2b9l38ZcwcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMzG8BAAD//8n0bSk=") (async) r2 = syz_mount_image$ext4(&(0x7f0000000240)='ext4\x00', &(0x7f0000000280)='./mnt\x00', 0x0, &(0x7f00000002c0), 0x0, 0x236, &(0x7f0000000300)="$eJzs3TFoM2UcBvDnLomf/b4gVRdBUEFEtFDqJrjURaEgpYgIKlREXJRWqC1urZOLg84qnVyKuFkdpUtxUQSnqh3qImhxsDjoELlcK9VGFFNz8t3vB5fcJe97//e4e95kOS5Aa00nmU/SSTKTpJekON/grnqZPt3cntpfTgaDx38shu3q7dpZv2tJtpI8mGSvLPJiN9nYffro54NH731jvXfPe7tPTU30IE8dHx0+dvLu4usfLjyw8fmX3y8WmU//D8d1+YoRn3WL5Jb/otj/RNFtegT8E0uvfvBVlftbk9w9zH8vZeqT9+baDXu93P/OX/V964cvbp/kWIHLNxj0qt/ArQHQOmWSfopyNkm9Xpazs/V/+K87V8uXVtdemXlhdX3l+aZnKuCy9JPDRz6+8tG1P+X/u06df+D6VeX/iaWdb6r1k07TowEmqcr/zLOb90X+oXXkH9pL/qG95B/aS/6hveQf2kv+ob3kH9pL/qG95B/a63z+AYB2GVxp+g5koClNzz8AAAAAAAAAAAAAAAAAAMBF21P7y2fLpGp++nZy/HCS7qj6neHziJMbh69XfyqqZr8r6m5jeebOMXcwpvcbvvv6pm+brf/ZHc3W31xJtl5LMtftXrz+itPr79+7+W++7z03ZoExPfRks/V/3Wm2/sJB8kk1/8yNmn/K3DZ8Hz3/9KvzN2b9l38ZcwcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMzG8BAAD//8n0bSk=") ioctl$FS_IOC_FIEMAP(r2, 0xc020660b, &(0x7f0000000080)={0x400, 0x3fffffffc00, 0x5, 0x7a}) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000280)) (async) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000280)={0xffffffffffffffff}) sendmsg$NBD_CMD_CONNECT(r0, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000300)={0x30, r1, 0x1, 0x70bd25, 0x25dfdbfd, {}, [@NBD_ATTR_SOCKETS={0x10, 0x7, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, {0x8, 0x1, r3}}]}, @NBD_ATTR_SIZE_BYTES={0xc, 0x2, 0x5}]}, 0x30}, 0x1, 0x0, 0x0, 0x4010}, 0x40040) r4 = syz_open_dev$ndb(&(0x7f0000000080), 0x0, 0x101402) ioctl$NBD_CLEAR_SOCK(r4, 0xab04) [ 135.476142][ T5312] Bluetooth: hci0: command tx timeout [ 135.582784][ T5336] loop0: detected capacity change from 0 to 128 [ 135.605454][ T5336] /dev/loop0: Can't open blockdev [ 135.693553][ T5336] block nbd0: shutting down sockets [ 135.724226][ T5312] ================================================================== [ 135.728196][ T5312] BUG: KASAN: slab-use-after-free in recv_work+0x1b1a/0x1c10 [ 135.731615][ T5312] Write of size 4 at addr ffff88804285b078 by task kworker/u5:2/5312 [ 135.735099][ T5312] [ 135.736246][ T5312] CPU: 0 UID: 0 PID: 5312 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 135.736264][ T5312] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 135.736338][ T5312] Workqueue: nbd0-recv recv_work [ 135.736361][ T5312] Call Trace: [ 135.736373][ T5312] [ 135.736380][ T5312] dump_stack_lvl+0x189/0x250 [ 135.736402][ T5312] ? rcu_is_watching+0x15/0xb0 [ 135.736416][ T5312] ? __kasan_check_byte+0x12/0x40 [ 135.736434][ T5312] ? __pfx_dump_stack_lvl+0x10/0x10 [ 135.736453][ T5312] ? rcu_is_watching+0x15/0xb0 [ 135.736472][ T5312] ? lock_release+0x4b/0x3e0 [ 135.736484][ T5312] ? __virt_addr_valid+0x1c8/0x5c0 [ 135.736506][ T5312] ? __virt_addr_valid+0x4a5/0x5c0 [ 135.736519][ T5312] print_report+0xca/0x240 [ 135.736533][ T5312] ? recv_work+0x1b1a/0x1c10 [ 135.736541][ T5312] kasan_report+0x118/0x150 [ 135.736555][ T5312] ? recv_work+0x1b1a/0x1c10 [ 135.736565][ T5312] kasan_check_range+0x2b0/0x2c0 [ 135.736581][ T5312] recv_work+0x1b1a/0x1c10 [ 135.736591][ T5312] ? lockdep_unlock+0x89/0x120 [ 135.736611][ T5312] ? __pfx_recv_work+0x10/0x10 [ 135.736621][ T5312] ? __lock_acquire+0xab9/0xd20 [ 135.736634][ T5312] ? _raw_spin_unlock_irq+0x23/0x50 [ 135.736713][ T5312] ? process_scheduled_works+0x9ef/0x17b0 [ 135.736726][ T5312] ? process_scheduled_works+0x9ef/0x17b0 [ 135.736738][ T5312] process_scheduled_works+0xae1/0x17b0 [ 135.736756][ T5312] ? __pfx_process_scheduled_works+0x10/0x10 [ 135.736771][ T5312] worker_thread+0x8a0/0xda0 [ 135.736783][ T5312] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 135.736798][ T5312] ? __kthread_parkme+0x7b/0x200 [ 135.736814][ T5312] kthread+0x711/0x8a0 [ 135.736829][ T5312] ? __pfx_worker_thread+0x10/0x10 [ 135.736841][ T5312] ? __pfx_kthread+0x10/0x10 [ 135.736855][ T5312] ? _raw_spin_unlock_irq+0x23/0x50 [ 135.736867][ T5312] ? lockdep_hardirqs_on+0x9c/0x150 [ 135.736881][ T5312] ? __pfx_kthread+0x10/0x10 [ 135.736893][ T5312] ret_from_fork+0x4bc/0x870 [ 135.736906][ T5312] ? __pfx_ret_from_fork+0x10/0x10 [ 135.736925][ T5312] ? __pfx_kthread+0x10/0x10 [ 135.736939][ T5312] ret_from_fork_asm+0x1a/0x30 [ 135.736953][ T5312] [ 135.736958][ T5312] [ 135.826974][ T5312] Allocated by task 5335: [ 135.828836][ T5312] kasan_save_track+0x3e/0x80 [ 135.830935][ T5312] __kasan_kmalloc+0x93/0xb0 [ 135.832853][ T5312] __kmalloc_cache_noprof+0x3d5/0x6f0 [ 135.835059][ T5312] nbd_alloc_and_init_config+0x88/0x260 [ 135.837305][ T5312] nbd_genl_connect+0x9d7/0x18f0 [ 135.839431][ T5312] genl_family_rcv_msg_doit+0x215/0x300 [ 135.841572][ T5312] genl_rcv_msg+0x60e/0x790 [ 135.843241][ T5312] netlink_rcv_skb+0x208/0x470 [ 135.845413][ T5312] genl_rcv+0x28/0x40 [ 135.847293][ T5312] netlink_unicast+0x82f/0x9e0 [ 135.849282][ T5312] netlink_sendmsg+0x805/0xb30 [ 135.851517][ T5312] __sock_sendmsg+0x21c/0x270 [ 135.853646][ T5312] ____sys_sendmsg+0x505/0x830 [ 135.855779][ T5312] ___sys_sendmsg+0x21f/0x2a0 [ 135.857869][ T5312] __x64_sys_sendmsg+0x19b/0x260 [ 135.860025][ T5312] do_syscall_64+0xfa/0xfa0 [ 135.862040][ T5312] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 135.864629][ T5312] [ 135.865620][ T5312] Freed by task 5312: [ 135.867230][ T5312] kasan_save_track+0x3e/0x80 [ 135.869186][ T5312] __kasan_save_free_info+0x46/0x50 [ 135.871536][ T5312] __kasan_slab_free+0x5c/0x80 [ 135.873517][ T5312] kfree+0x19a/0x6d0 [ 135.875127][ T5312] nbd_config_put+0x642/0x790 [ 135.877193][ T5312] recv_work+0x1b04/0x1c10 [ 135.879036][ T5312] process_scheduled_works+0xae1/0x17b0 [ 135.881309][ T5312] worker_thread+0x8a0/0xda0 [ 135.883179][ T5312] kthread+0x711/0x8a0 [ 135.884921][ T5312] ret_from_fork+0x4bc/0x870 [ 135.886809][ T5312] ret_from_fork_asm+0x1a/0x30 [ 135.888752][ T5312] [ 135.889815][ T5312] The buggy address belongs to the object at ffff88804285b000 [ 135.889815][ T5312] which belongs to the cache kmalloc-256 of size 256 [ 135.895601][ T5312] The buggy address is located 120 bytes inside of [ 135.895601][ T5312] freed 256-byte region [ffff88804285b000, ffff88804285b100) [ 135.901639][ T5312] [ 135.902712][ T5312] The buggy address belongs to the physical page: [ 135.905720][ T5312] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4285b [ 135.909479][ T5312] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 135.912723][ T5312] page_type: f5(slab) [ 135.914218][ T5312] raw: 04fff00000000000 ffff88801a041b40 dead000000000122 0000000000000000 [ 135.917864][ T5312] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 135.921561][ T5312] page dumped because: kasan: bad access detected [ 135.924450][ T5312] page_owner tracks the page as allocated [ 135.926673][ T5312] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5335, tgid 5334 (syz.0.0), ts 135621781671, free_ts 135621251730 [ 135.934538][ T5312] post_alloc_hook+0x240/0x2a0 [ 135.936674][ T5312] get_page_from_freelist+0x2365/0x2440 [ 135.939488][ T5312] __alloc_frozen_pages_noprof+0x181/0x370 [ 135.942774][ T5312] alloc_pages_mpol+0x232/0x4a0 [ 135.945434][ T5312] allocate_slab+0x96/0x350 [ 135.947367][ T5312] ___slab_alloc+0xf56/0x1990 [ 135.949573][ T5312] __slab_alloc+0x65/0x100 [ 135.951601][ T5312] __kmalloc_cache_noprof+0x411/0x6f0 [ 135.953883][ T5312] nbd_alloc_and_init_config+0x88/0x260 [ 135.956315][ T5312] nbd_genl_connect+0x9d7/0x18f0 [ 135.958588][ T5312] genl_family_rcv_msg_doit+0x215/0x300 [ 135.960935][ T5312] genl_rcv_msg+0x60e/0x790 [ 135.962885][ T5312] netlink_rcv_skb+0x208/0x470 [ 135.965032][ T5312] genl_rcv+0x28/0x40 [ 135.966797][ T5312] netlink_unicast+0x82f/0x9e0 [ 135.968792][ T5312] netlink_sendmsg+0x805/0xb30 [ 135.970875][ T5312] page last free pid 15 tgid 15 stack trace: [ 135.973303][ T5312] __free_frozen_pages+0xbc4/0xd30 [ 135.975471][ T5312] rcu_core+0xcab/0x1770 [ 135.977276][ T5312] handle_softirqs+0x286/0x870 [ 135.979249][ T5312] run_ksoftirqd+0x9b/0x100 [ 135.981284][ T5312] smpboot_thread_fn+0x542/0xa60 [ 135.983199][ T5312] kthread+0x711/0x8a0 [ 135.984841][ T5312] ret_from_fork+0x4bc/0x870 [ 135.986665][ T5312] ret_from_fork_asm+0x1a/0x30 [ 135.988549][ T5312] [ 135.989451][ T5312] Memory state around the buggy address: [ 135.991938][ T5312] ffff88804285af00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 135.996173][ T5312] ffff88804285af80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 136.000649][ T5312] >ffff88804285b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 136.005038][ T5312] ^ [ 136.008551][ T5312] ffff88804285b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 136.011897][ T5312] ffff88804285b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 136.015541][ T5312] ================================================================== [ 136.035173][ T5312] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 136.038733][ T5312] CPU: 0 UID: 0 PID: 5312 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 136.042644][ T5312] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 136.047287][ T5312] Workqueue: nbd0-recv recv_work [ 136.049469][ T5312] Call Trace: [ 136.050896][ T5312] [ 136.052191][ T5312] dump_stack_lvl+0x99/0x250 [ 136.054074][ T5312] ? __asan_memcpy+0x40/0x70 [ 136.056177][ T5312] ? __pfx_dump_stack_lvl+0x10/0x10 [ 136.058428][ T5312] ? __pfx__printk+0x10/0x10 [ 136.060419][ T5312] vpanic+0x237/0x6d0 [ 136.062105][ T5312] ? __pfx_vpanic+0x10/0x10 [ 136.064057][ T5312] ? preempt_schedule+0xae/0xc0 [ 136.066139][ T5312] ? __pfx_preempt_schedule+0x10/0x10 [ 136.068409][ T5312] panic+0xb9/0xc0 [ 136.070030][ T5312] ? __pfx_panic+0x10/0x10 [ 136.071928][ T5312] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 136.074377][ T5312] ? recv_work+0x1b1a/0x1c10 [ 136.076308][ T5312] check_panic_on_warn+0x89/0xb0 [ 136.078411][ T5312] ? recv_work+0x1b1a/0x1c10 [ 136.080501][ T5312] end_report+0x78/0x160 [ 136.082243][ T5312] kasan_report+0x129/0x150 [ 136.084089][ T5312] ? recv_work+0x1b1a/0x1c10 [ 136.086084][ T5312] kasan_check_range+0x2b0/0x2c0 [ 136.088217][ T5312] recv_work+0x1b1a/0x1c10 [ 136.090211][ T5312] ? lockdep_unlock+0x89/0x120 [ 136.092272][ T5312] ? __pfx_recv_work+0x10/0x10 [ 136.094257][ T5312] ? __lock_acquire+0xab9/0xd20 [ 136.096348][ T5312] ? _raw_spin_unlock_irq+0x23/0x50 [ 136.098621][ T5312] ? process_scheduled_works+0x9ef/0x17b0 [ 136.101087][ T5312] ? process_scheduled_works+0x9ef/0x17b0 [ 136.103528][ T5312] process_scheduled_works+0xae1/0x17b0 [ 136.105878][ T5312] ? __pfx_process_scheduled_works+0x10/0x10 [ 136.108505][ T5312] worker_thread+0x8a0/0xda0 [ 136.110593][ T5312] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 136.113378][ T5312] ? __kthread_parkme+0x7b/0x200 [ 136.115452][ T5312] kthread+0x711/0x8a0 [ 136.117291][ T5312] ? __pfx_worker_thread+0x10/0x10 [ 136.119434][ T5312] ? __pfx_kthread+0x10/0x10 [ 136.121636][ T5312] ? _raw_spin_unlock_irq+0x23/0x50 [ 136.123966][ T5312] ? lockdep_hardirqs_on+0x9c/0x150 [ 136.126364][ T5312] ? __pfx_kthread+0x10/0x10 [ 136.128439][ T5312] ret_from_fork+0x4bc/0x870 [ 136.130458][ T5312] ? __pfx_ret_from_fork+0x10/0x10 [ 136.132682][ T5312] ? __pfx_kthread+0x10/0x10 [ 136.134747][ T5312] ret_from_fork_asm+0x1a/0x30 [ 136.137082][ T5312] [ 136.138863][ T5312] Kernel Offset: disabled [ 136.140682][ T5312] Rebooting in 86400 seconds..