Starting Update UTMP about System Runlevel Changes... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.143' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.685935] netlink: 4 bytes leftover after parsing attributes in process `syz-executor506'. [ 26.694642] netlink: 4 bytes leftover after parsing attributes in process `syz-executor506'. [ 26.703669] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program [ 26.763910] netlink: 4 bytes leftover after parsing attributes in process `syz-executor506'. [ 26.772689] netlink: 4 bytes leftover after parsing attributes in process `syz-executor506'. [ 26.781884] nbd: socks must be embedded in a SOCK_ITEM attr [ 26.827100] netlink: 4 bytes leftover after parsing attributes in process `syz-executor506'. [ 26.836119] netlink: 4 bytes leftover after parsing attributes in process `syz-executor506'. [ 26.845216] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 26.907677] netlink: 4 bytes leftover after parsing attributes in process `syz-executor506'. [ 26.916597] netlink: 4 bytes leftover after parsing attributes in process `syz-executor506'. [ 26.925822] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program [ 26.978082] netlink: 4 bytes leftover after parsing attributes in process `syz-executor506'. [ 26.987004] netlink: 4 bytes leftover after parsing attributes in process `syz-executor506'. [ 26.996369] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program [ 27.038110] nbd: socks must be embedded in a SOCK_ITEM attr [ 27.075803] nbd: socks must be embedded in a SOCK_ITEM attr [ 27.085542] nbd: socks must be embedded in a SOCK_ITEM attr [ 27.119961] ================================================================== [ 27.127397] BUG: KASAN: use-after-free in refcount_dec_not_one+0x9a/0xc0 [ 27.134260] Read of size 4 at addr ffff88809edea358 by task syz-executor506/8029 [ 27.141768] [ 27.143375] CPU: 0 PID: 8029 Comm: syz-executor506 Not tainted 4.14.244-syzkaller #0 [ 27.151563] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.160945] Call Trace: [ 27.163557] dump_stack+0x1b2/0x281 [ 27.167168] print_address_description.cold+0x54/0x1d3 [ 27.172422] kasan_report_error.cold+0x8a/0x191 [ 27.177067] ? refcount_dec_not_one+0x9a/0xc0 [ 27.181656] __asan_report_load4_noabort+0x68/0x70 [ 27.186569] ? refcount_dec_not_one+0x9a/0xc0 [ 27.191042] refcount_dec_not_one+0x9a/0xc0 [ 27.195341] refcount_dec_and_mutex_lock+0x1a/0x60 [ 27.200249] nbd_genl_connect+0xf94/0x1400 [ 27.204464] ? nbd_xmit_timeout+0x500/0x500 [ 27.208768] ? validate_nla+0x192/0x5e0 [ 27.212724] genl_family_rcv_msg+0x572/0xb20 [ 27.217216] ? genl_rcv+0x40/0x40 [ 27.220694] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 27.226124] ? trace_hardirqs_on+0x10/0x10 [ 27.230344] ? sock_sendmsg+0xb5/0x100 [ 27.234212] genl_rcv_msg+0xaf/0x140 [ 27.237901] netlink_rcv_skb+0x125/0x390 [ 27.241938] ? genl_family_rcv_msg+0xb20/0xb20 [ 27.246492] ? netlink_ack+0x9a0/0x9a0 [ 27.250361] ? lock_acquire+0x170/0x3f0 [ 27.254315] genl_rcv+0x24/0x40 [ 27.257567] netlink_unicast+0x437/0x610 [ 27.261687] ? netlink_sendskb+0xd0/0xd0 [ 27.265722] ? __check_object_size+0x179/0x230 [ 27.270290] netlink_sendmsg+0x62e/0xb80 [ 27.274343] ? nlmsg_notify+0x170/0x170 [ 27.278295] ? kernel_recvmsg+0x210/0x210 [ 27.282423] ? security_socket_sendmsg+0x83/0xb0 [ 27.287154] ? nlmsg_notify+0x170/0x170 [ 27.291110] sock_sendmsg+0xb5/0x100 [ 27.294844] ___sys_sendmsg+0x6c8/0x800 [ 27.298794] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 27.303529] ? netlink_dump+0xad0/0xad0 [ 27.307517] ? nlmsg_notify+0x170/0x170 [ 27.311561] ? security_socket_recvmsg+0x8b/0xc0 [ 27.316291] ? SyS_recvfrom+0x27f/0x340 [ 27.320260] ? SyS_send+0x40/0x40 [ 27.323688] ? vm_insert_page+0x7c0/0x7c0 [ 27.327809] ? __fdget+0x167/0x1f0 [ 27.331342] ? sockfd_lookup_light+0xb2/0x160 [ 27.336015] __sys_sendmsg+0xa3/0x120 [ 27.339795] ? SyS_shutdown+0x160/0x160 [ 27.343748] ? up_read+0x17/0x30 [ 27.347096] ? __do_page_fault+0x159/0xad0 [ 27.351307] SyS_sendmsg+0x27/0x40 [ 27.354824] ? __sys_sendmsg+0x120/0x120 [ 27.358861] do_syscall_64+0x1d5/0x640 [ 27.362725] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.367889] RIP: 0033:0x440669 [ 27.371055] RSP: 002b:00007fff26aa1c88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 27.378738] RAX: ffffffffffffffda RBX: 00000000000069b1 RCX: 0000000000440669 [ 27.385984] RDX: 0000000000000000 RSI: 0000000020000b40 RDI: 0000000000000003 [ 27.393229] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007fff26aa1e28 [ 27.400471] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff26aa1c9c [ 27.407715] R13: 431bde82d7b634db R14: 00000000004ae018 R15: 00000000004004a0 [ 27.414973] [ 27.416584] Allocated by task 8024: [ 27.420190] kasan_kmalloc+0xeb/0x160 [ 27.423968] kmem_cache_alloc_trace+0x131/0x3d0 [ 27.428618] nbd_dev_add+0x7c/0x800 [ 27.432225] nbd_genl_connect+0x36c/0x1400 [ 27.436434] genl_family_rcv_msg+0x572/0xb20 [ 27.440818] genl_rcv_msg+0xaf/0x140 [ 27.444522] netlink_rcv_skb+0x125/0x390 [ 27.448560] genl_rcv+0x24/0x40 [ 27.451837] netlink_unicast+0x437/0x610 [ 27.455872] netlink_sendmsg+0x62e/0xb80 [ 27.459909] sock_sendmsg+0xb5/0x100 [ 27.463610] ___sys_sendmsg+0x6c8/0x800 [ 27.467560] __sys_sendmsg+0xa3/0x120 [ 27.471334] SyS_sendmsg+0x27/0x40 [ 27.474853] do_syscall_64+0x1d5/0x640 [ 27.478718] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.483885] [ 27.485491] Freed by task 8029: [ 27.488752] kasan_slab_free+0xc3/0x1a0 [ 27.492710] kfree+0xc9/0x250 [ 27.495791] nbd_put.part.0+0x100/0x140 [ 27.499758] nbd_config_put+0x62a/0x810 [ 27.503709] nbd_genl_connect+0xf6c/0x1400 [ 27.507919] genl_family_rcv_msg+0x572/0xb20 [ 27.512320] genl_rcv_msg+0xaf/0x140 [ 27.516010] netlink_rcv_skb+0x125/0x390 [ 27.520046] genl_rcv+0x24/0x40 [ 27.523301] netlink_unicast+0x437/0x610 [ 27.527352] netlink_sendmsg+0x62e/0xb80 [ 27.531411] sock_sendmsg+0xb5/0x100 [ 27.535119] ___sys_sendmsg+0x6c8/0x800 [ 27.539079] __sys_sendmsg+0xa3/0x120 [ 27.542863] SyS_sendmsg+0x27/0x40 [ 27.546406] do_syscall_64+0x1d5/0x640 [ 27.550272] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.555443] [ 27.557055] The buggy address belongs to the object at ffff88809edea280 [ 27.557055] which belongs to the cache kmalloc-512 of size 512 [ 27.569876] The buggy address is located 216 bytes inside of [ 27.569876] 512-byte region [ffff88809edea280, ffff88809edea480) [ 27.581729] The buggy address belongs to the page: [ 27.586645] page:ffffea00027b7a80 count:1 mapcount:0 mapping:ffff88809edea000 index:0xffff88809edea780 [ 27.596094] flags: 0xfff00000000100(slab) [ 27.600223] raw: 00fff00000000100 ffff88809edea000 ffff88809edea780 0000000100000004 [ 27.608081] raw: ffffea0002809c60 ffffea00027f9c20 ffff88813fe80940 0000000000000000 [ 27.615938] page dumped because: kasan: bad access detected [ 27.621713] [ 27.623322] Memory state around the buggy address: [ 27.628232] ffff88809edea200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.635696] ffff88809edea280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.643036] >ffff88809edea300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.650371] ^ [ 27.656581] ffff88809edea380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.663942] ffff88809edea400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.671278] ================================================================== [ 27.678631] Disabling lock debugging due to kernel taint [ 27.684850] Kernel panic - not syncing: panic_on_warn set ... [ 27.684850] [ 27.692242] CPU: 0 PID: 8029 Comm: syz-executor506 Tainted: G B 4.14.244-syzkaller #0 [ 27.701325] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.710755] Call Trace: [ 27.713336] dump_stack+0x1b2/0x281 [ 27.716955] panic+0x1f9/0x42d [ 27.720242] ? add_taint.cold+0x16/0x16 [ 27.724195] ? ___preempt_schedule+0x16/0x18 [ 27.728585] kasan_end_report+0x43/0x49 [ 27.732543] kasan_report_error.cold+0xa7/0x191 [ 27.737197] ? refcount_dec_not_one+0x9a/0xc0 [ 27.741672] __asan_report_load4_noabort+0x68/0x70 [ 27.746578] ? refcount_dec_not_one+0x9a/0xc0 [ 27.751069] refcount_dec_not_one+0x9a/0xc0 [ 27.755474] refcount_dec_and_mutex_lock+0x1a/0x60 [ 27.760378] nbd_genl_connect+0xf94/0x1400 [ 27.764590] ? nbd_xmit_timeout+0x500/0x500 [ 27.768888] ? validate_nla+0x192/0x5e0 [ 27.772856] genl_family_rcv_msg+0x572/0xb20 [ 27.777239] ? genl_rcv+0x40/0x40 [ 27.780673] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 27.786099] ? trace_hardirqs_on+0x10/0x10 [ 27.790324] ? sock_sendmsg+0xb5/0x100 [ 27.794200] genl_rcv_msg+0xaf/0x140 [ 27.797890] netlink_rcv_skb+0x125/0x390 [ 27.801929] ? genl_family_rcv_msg+0xb20/0xb20 [ 27.806512] ? netlink_ack+0x9a0/0x9a0 [ 27.810376] ? lock_acquire+0x170/0x3f0 [ 27.814424] genl_rcv+0x24/0x40 [ 27.817691] netlink_unicast+0x437/0x610 [ 27.821740] ? netlink_sendskb+0xd0/0xd0 [ 27.825785] ? __check_object_size+0x179/0x230 [ 27.830358] netlink_sendmsg+0x62e/0xb80 [ 27.834406] ? nlmsg_notify+0x170/0x170 [ 27.838351] ? kernel_recvmsg+0x210/0x210 [ 27.842476] ? security_socket_sendmsg+0x83/0xb0 [ 27.847205] ? nlmsg_notify+0x170/0x170 [ 27.851172] sock_sendmsg+0xb5/0x100 [ 27.854878] ___sys_sendmsg+0x6c8/0x800 [ 27.858843] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 27.863586] ? netlink_dump+0xad0/0xad0 [ 27.867536] ? nlmsg_notify+0x170/0x170 [ 27.871490] ? security_socket_recvmsg+0x8b/0xc0 [ 27.876260] ? SyS_recvfrom+0x27f/0x340 [ 27.880215] ? SyS_send+0x40/0x40 [ 27.883776] ? vm_insert_page+0x7c0/0x7c0 [ 27.887906] ? __fdget+0x167/0x1f0 [ 27.891423] ? sockfd_lookup_light+0xb2/0x160 [ 27.895894] __sys_sendmsg+0xa3/0x120 [ 27.899687] ? SyS_shutdown+0x160/0x160 [ 27.903641] ? up_read+0x17/0x30 [ 27.906992] ? __do_page_fault+0x159/0xad0 [ 27.911206] SyS_sendmsg+0x27/0x40 [ 27.914736] ? __sys_sendmsg+0x120/0x120 [ 27.918773] do_syscall_64+0x1d5/0x640 [ 27.922728] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.927893] RIP: 0033:0x440669 [ 27.931063] RSP: 002b:00007fff26aa1c88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 27.938743] RAX: ffffffffffffffda RBX: 00000000000069b1 RCX: 0000000000440669 [ 27.945989] RDX: 0000000000000000 RSI: 0000000020000b40 RDI: 0000000000000003 [ 27.953252] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007fff26aa1e28 [ 27.960498] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff26aa1c9c [ 27.967843] R13: 431bde82d7b634db R14: 00000000004ae018 R15: 00000000004004a0 [ 27.976463] Kernel Offset: disabled [ 27.980074] Rebooting in 86400 seconds..