Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.94' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 66.922947][ T8435] netlink: 4 bytes leftover after parsing attributes in process `syz-executor243'. [ 66.932500][ T8435] netlink: 4 bytes leftover after parsing attributes in process `syz-executor243'. [ 66.942583][ T8435] netlink: 4 bytes leftover after parsing attributes in process `syz-executor243'. [ 66.952044][ T8435] netlink: 4 bytes leftover after parsing attributes in process `syz-executor243'. [ 66.961434][ T8435] netlink: 4 bytes leftover after parsing attributes in process `syz-executor243'. executing program [ 66.970791][ T8435] netlink: 4 bytes leftover after parsing attributes in process `syz-executor243'. [ 67.004497][ T8438] netlink: 4 bytes leftover after parsing attributes in process `syz-executor243'. [ 67.014028][ T8438] netlink: 4 bytes leftover after parsing attributes in process `syz-executor243'. [ 67.023559][ T8438] netlink: 4 bytes leftover after parsing attributes in process `syz-executor243'. [ 67.034004][ T8438] netlink: 4 bytes leftover after parsing attributes in process `syz-executor243'. executing program executing program [ 67.189220][ T8446] ================================================================== [ 67.197527][ T8446] BUG: KASAN: use-after-free in refcount_dec_not_one+0x71/0x1e0 [ 67.205205][ T8446] Read of size 4 at addr ffff88801a29e1a0 by task syz-executor243/8446 [ 67.213454][ T8446] [ 67.215784][ T8446] CPU: 1 PID: 8446 Comm: syz-executor243 Not tainted 5.11.0-rc7-syzkaller #0 [ 67.224529][ T8446] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.234625][ T8446] Call Trace: [ 67.237897][ T8446] dump_stack+0x107/0x163 [ 67.242264][ T8446] ? refcount_dec_not_one+0x71/0x1e0 [ 67.247539][ T8446] ? refcount_dec_not_one+0x71/0x1e0 [ 67.252812][ T8446] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 67.259828][ T8446] ? refcount_dec_not_one+0x71/0x1e0 [ 67.265101][ T8446] ? refcount_dec_not_one+0x71/0x1e0 [ 67.270386][ T8446] kasan_report.cold+0x79/0xd5 [ 67.275141][ T8446] ? refcount_dec_not_one+0x71/0x1e0 [ 67.280413][ T8446] check_memory_region+0x13d/0x180 [ 67.285530][ T8446] refcount_dec_not_one+0x71/0x1e0 [ 67.290638][ T8446] ? refcount_warn_saturate+0x1e0/0x1e0 [ 67.296175][ T8446] ? nbd_config_put+0x5d0/0x8c0 [ 67.301023][ T8446] refcount_dec_and_mutex_lock+0x19/0x140 [ 67.306782][ T8446] nbd_genl_connect+0xee7/0x1560 [ 67.311758][ T8446] ? nbd_start_device+0xd40/0xd40 [ 67.316828][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.323062][ T8446] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x1b7/0x290 [ 67.330423][ T8446] ? genl_family_rcv_msg_attrs_parse.constprop.0+0xaf/0x290 [ 67.337706][ T8446] genl_family_rcv_msg_doit+0x228/0x320 [ 67.343243][ T8446] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x290/0x290 [ 67.350642][ T8446] ? genl_op_from_small+0x23/0x3c0 [ 67.355742][ T8446] ? genl_get_cmd+0x3cf/0x480 [ 67.360409][ T8446] genl_rcv_msg+0x328/0x580 [ 67.364918][ T8446] ? genl_get_cmd+0x480/0x480 [ 67.369605][ T8446] ? nbd_start_device+0xd40/0xd40 [ 67.374715][ T8446] ? lock_release+0x710/0x710 [ 67.379402][ T8446] netlink_rcv_skb+0x153/0x420 [ 67.384161][ T8446] ? genl_get_cmd+0x480/0x480 [ 67.388827][ T8446] ? netlink_ack+0xaa0/0xaa0 [ 67.393431][ T8446] genl_rcv+0x24/0x40 [ 67.397400][ T8446] netlink_unicast+0x533/0x7d0 [ 67.402162][ T8446] ? netlink_attachskb+0x870/0x870 [ 67.407282][ T8446] ? _copy_from_iter_full+0x275/0x850 [ 67.412652][ T8446] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 67.418880][ T8446] ? __phys_addr_symbol+0x2c/0x70 [ 67.423906][ T8446] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 67.429612][ T8446] ? __check_object_size+0x171/0x3f0 [ 67.434894][ T8446] netlink_sendmsg+0x856/0xd90 [ 67.439662][ T8446] ? netlink_unicast+0x7d0/0x7d0 [ 67.444608][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.450855][ T8446] ? netlink_unicast+0x7d0/0x7d0 [ 67.455794][ T8446] sock_sendmsg+0xcf/0x120 [ 67.460199][ T8446] ____sys_sendmsg+0x6e8/0x810 [ 67.464952][ T8446] ? kernel_sendmsg+0x50/0x50 [ 67.469645][ T8446] ? do_recvmmsg+0x6c0/0x6c0 [ 67.474221][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.480448][ T8446] ? netlink_recvmsg+0x826/0xee0 [ 67.485379][ T8446] ___sys_sendmsg+0xf3/0x170 [ 67.489970][ T8446] ? sendmsg_copy_msghdr+0x160/0x160 [ 67.495251][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.501513][ T8446] ? security_socket_recvmsg+0x8f/0xc0 [ 67.506962][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.513190][ T8446] ? __sys_recvfrom+0x2cc/0x3a0 [ 67.518042][ T8446] ? __ia32_sys_send+0x100/0x100 [ 67.523012][ T8446] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 67.529257][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.535500][ T8446] ? __fget_light+0x215/0x280 [ 67.540226][ T8446] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 67.546506][ T8446] __sys_sendmsg+0xe5/0x1b0 [ 67.551024][ T8446] ? __sys_sendmsg_sock+0xb0/0xb0 [ 67.556037][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.562291][ T8446] ? syscall_enter_from_user_mode+0x1d/0x50 [ 67.568179][ T8446] do_syscall_64+0x2d/0x70 [ 67.572582][ T8446] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.578470][ T8446] RIP: 0033:0x440859 [ 67.582364][ T8446] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 67.601956][ T8446] RSP: 002b:00007ffe188ac208 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 67.610364][ T8446] RAX: ffffffffffffffda RBX: 0000000000010625 RCX: 0000000000440859 [ 67.618346][ T8446] RDX: 0000000002000800 RSI: 0000000020002580 RDI: 0000000000000003 [ 67.626319][ T8446] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffe188ac3a8 [ 67.634285][ T8446] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe188ac21c [ 67.643631][ T8446] R13: 431bde82d7b634db R14: 00000000004ae018 R15: 00000000004004a0 [ 67.651602][ T8446] [ 67.653909][ T8446] Allocated by task 1: [ 67.657955][ T8446] kasan_save_stack+0x1b/0x40 [ 67.662620][ T8446] ____kasan_kmalloc.constprop.0+0x82/0xa0 [ 67.668410][ T8446] nbd_dev_add+0x44/0x8e0 [ 67.672729][ T8446] nbd_init+0x250/0x271 [ 67.676871][ T8446] do_one_initcall+0x103/0x650 [ 67.681626][ T8446] kernel_init_freeable+0x605/0x689 [ 67.686810][ T8446] kernel_init+0xd/0x1b8 [ 67.691038][ T8446] ret_from_fork+0x1f/0x30 [ 67.695453][ T8446] [ 67.697770][ T8446] Freed by task 8446: [ 67.701729][ T8446] kasan_save_stack+0x1b/0x40 [ 67.706393][ T8446] kasan_set_track+0x1c/0x30 [ 67.710974][ T8446] kasan_set_free_info+0x20/0x30 [ 67.715898][ T8446] ____kasan_slab_free+0xe1/0x110 [ 67.720910][ T8446] slab_free_freelist_hook+0x5d/0x150 [ 67.726263][ T8446] kfree+0xdb/0x3b0 [ 67.730052][ T8446] nbd_put.part.0+0x180/0x1d0 [ 67.734715][ T8446] nbd_config_put+0x6dd/0x8c0 [ 67.739379][ T8446] nbd_genl_connect+0xeb7/0x1560 [ 67.744304][ T8446] genl_family_rcv_msg_doit+0x228/0x320 [ 67.749839][ T8446] genl_rcv_msg+0x328/0x580 [ 67.754342][ T8446] netlink_rcv_skb+0x153/0x420 [ 67.759098][ T8446] genl_rcv+0x24/0x40 [ 67.763076][ T8446] netlink_unicast+0x533/0x7d0 [ 67.767826][ T8446] netlink_sendmsg+0x856/0xd90 [ 67.772649][ T8446] sock_sendmsg+0xcf/0x120 [ 67.777052][ T8446] ____sys_sendmsg+0x6e8/0x810 [ 67.781800][ T8446] ___sys_sendmsg+0xf3/0x170 [ 67.786376][ T8446] __sys_sendmsg+0xe5/0x1b0 [ 67.790864][ T8446] do_syscall_64+0x2d/0x70 [ 67.795267][ T8446] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.801155][ T8446] [ 67.803459][ T8446] The buggy address belongs to the object at ffff88801a29e000 [ 67.803459][ T8446] which belongs to the cache kmalloc-1k of size 1024 [ 67.817498][ T8446] The buggy address is located 416 bytes inside of [ 67.817498][ T8446] 1024-byte region [ffff88801a29e000, ffff88801a29e400) [ 67.830864][ T8446] The buggy address belongs to the page: [ 67.836474][ T8446] page:0000000020fa1daf refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1a298 [ 67.846608][ T8446] head:0000000020fa1daf order:3 compound_mapcount:0 compound_pincount:0 [ 67.854913][ T8446] flags: 0xfff00000010200(slab|head) [ 67.860205][ T8446] raw: 00fff00000010200 ffffea00004e5e00 0000000600000006 ffff888010c41140 [ 67.868773][ T8446] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 67.877348][ T8446] page dumped because: kasan: bad access detected [ 67.883738][ T8446] [ 67.886047][ T8446] Memory state around the buggy address: [ 67.891656][ T8446] ffff88801a29e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.899699][ T8446] ffff88801a29e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.907761][ T8446] >ffff88801a29e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.915817][ T8446] ^ [ 67.920925][ T8446] ffff88801a29e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.928971][ T8446] ffff88801a29e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.937020][ T8446] ================================================================== [ 67.945057][ T8446] Disabling lock debugging due to kernel taint [ 67.951467][ T8446] Kernel panic - not syncing: panic_on_warn set ... [ 67.958056][ T8446] CPU: 1 PID: 8446 Comm: syz-executor243 Tainted: G B 5.11.0-rc7-syzkaller #0 [ 67.968209][ T8446] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.978267][ T8446] Call Trace: [ 67.981550][ T8446] dump_stack+0x107/0x163 [ 67.985891][ T8446] ? refcount_dec_not_one+0x10/0x1e0 [ 67.991194][ T8446] panic+0x306/0x73d [ 67.995101][ T8446] ? __warn_printk+0xf3/0xf3 [ 67.999680][ T8446] ? preempt_schedule_common+0x59/0xc0 [ 68.005120][ T8446] ? refcount_dec_not_one+0x71/0x1e0 [ 68.010397][ T8446] ? preempt_schedule_thunk+0x16/0x18 [ 68.015760][ T8446] ? trace_hardirqs_on+0x38/0x1c0 [ 68.020771][ T8446] ? trace_hardirqs_on+0x51/0x1c0 [ 68.025785][ T8446] ? refcount_dec_not_one+0x71/0x1e0 [ 68.031058][ T8446] ? refcount_dec_not_one+0x71/0x1e0 [ 68.036329][ T8446] end_report+0x58/0x5e [ 68.040470][ T8446] kasan_report.cold+0x67/0xd5 [ 68.045222][ T8446] ? refcount_dec_not_one+0x71/0x1e0 [ 68.050504][ T8446] check_memory_region+0x13d/0x180 [ 68.055602][ T8446] refcount_dec_not_one+0x71/0x1e0 [ 68.060696][ T8446] ? refcount_warn_saturate+0x1e0/0x1e0 [ 68.066223][ T8446] ? nbd_config_put+0x5d0/0x8c0 [ 68.071065][ T8446] refcount_dec_and_mutex_lock+0x19/0x140 [ 68.076823][ T8446] nbd_genl_connect+0xee7/0x1560 [ 68.081755][ T8446] ? nbd_start_device+0xd40/0xd40 [ 68.086767][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 68.092996][ T8446] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x1b7/0x290 [ 68.100356][ T8446] ? genl_family_rcv_msg_attrs_parse.constprop.0+0xaf/0x290 [ 68.107627][ T8446] genl_family_rcv_msg_doit+0x228/0x320 [ 68.113162][ T8446] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x290/0x290 [ 68.120563][ T8446] ? genl_op_from_small+0x23/0x3c0 [ 68.125668][ T8446] ? genl_get_cmd+0x3cf/0x480 [ 68.130397][ T8446] genl_rcv_msg+0x328/0x580 [ 68.134886][ T8446] ? genl_get_cmd+0x480/0x480 [ 68.139547][ T8446] ? nbd_start_device+0xd40/0xd40 [ 68.144558][ T8446] ? lock_release+0x710/0x710 [ 68.149218][ T8446] netlink_rcv_skb+0x153/0x420 [ 68.153968][ T8446] ? genl_get_cmd+0x480/0x480 [ 68.158642][ T8446] ? netlink_ack+0xaa0/0xaa0 [ 68.163215][ T8446] genl_rcv+0x24/0x40 [ 68.167179][ T8446] netlink_unicast+0x533/0x7d0 [ 68.171923][ T8446] ? netlink_attachskb+0x870/0x870 [ 68.177016][ T8446] ? _copy_from_iter_full+0x275/0x850 [ 68.182369][ T8446] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 68.188592][ T8446] ? __phys_addr_symbol+0x2c/0x70 [ 68.193600][ T8446] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 68.199322][ T8446] ? __check_object_size+0x171/0x3f0 [ 68.204588][ T8446] netlink_sendmsg+0x856/0xd90 [ 68.209339][ T8446] ? netlink_unicast+0x7d0/0x7d0 [ 68.214284][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 68.220511][ T8446] ? netlink_unicast+0x7d0/0x7d0 [ 68.225433][ T8446] sock_sendmsg+0xcf/0x120 [ 68.229832][ T8446] ____sys_sendmsg+0x6e8/0x810 [ 68.234575][ T8446] ? kernel_sendmsg+0x50/0x50 [ 68.239240][ T8446] ? do_recvmmsg+0x6c0/0x6c0 [ 68.243845][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 68.250083][ T8446] ? netlink_recvmsg+0x826/0xee0 [ 68.255007][ T8446] ___sys_sendmsg+0xf3/0x170 [ 68.259579][ T8446] ? sendmsg_copy_msghdr+0x160/0x160 [ 68.264847][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 68.271072][ T8446] ? security_socket_recvmsg+0x8f/0xc0 [ 68.276528][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 68.282767][ T8446] ? __sys_recvfrom+0x2cc/0x3a0 [ 68.287601][ T8446] ? __ia32_sys_send+0x100/0x100 [ 68.292517][ T8446] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 68.298743][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 68.304989][ T8446] ? __fget_light+0x215/0x280 [ 68.309649][ T8446] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 68.315872][ T8446] __sys_sendmsg+0xe5/0x1b0 [ 68.320373][ T8446] ? __sys_sendmsg_sock+0xb0/0xb0 [ 68.325383][ T8446] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 68.331619][ T8446] ? syscall_enter_from_user_mode+0x1d/0x50 [ 68.337540][ T8446] do_syscall_64+0x2d/0x70 [ 68.341943][ T8446] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.347825][ T8446] RIP: 0033:0x440859 [ 68.351705][ T8446] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 68.371393][ T8446] RSP: 002b:00007ffe188ac208 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 68.379791][ T8446] RAX: ffffffffffffffda RBX: 0000000000010625 RCX: 0000000000440859 [ 68.387773][ T8446] RDX: 0000000002000800 RSI: 0000000020002580 RDI: 0000000000000003 [ 68.395731][ T8446] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffe188ac3a8 [ 68.403682][ T8446] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe188ac21c [ 68.411635][ T8446] R13: 431bde82d7b634db R14: 00000000004ae018 R15: 00000000004004a0 [ 68.420271][ T8446] Kernel Offset: disabled [ 68.424608][ T8446] Rebooting in 86400 seconds..