Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.158' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 32.709614] netlink: 4 bytes leftover after parsing attributes in process `syz-executor231'. [ 32.718411] netlink: 4 bytes leftover after parsing attributes in process `syz-executor231'. [ 32.727505] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 32.794504] netlink: 4 bytes leftover after parsing attributes in process `syz-executor231'. [ 32.804317] netlink: 4 bytes leftover after parsing attributes in process `syz-executor231'. [ 32.814218] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 32.863013] netlink: 4 bytes leftover after parsing attributes in process `syz-executor231'. [ 32.872870] netlink: 4 bytes leftover after parsing attributes in process `syz-executor231'. [ 32.882749] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 32.932216] netlink: 4 bytes leftover after parsing attributes in process `syz-executor231'. [ 32.941693] netlink: 4 bytes leftover after parsing attributes in process `syz-executor231'. [ 32.951900] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 32.998251] netlink: 4 bytes leftover after parsing attributes in process `syz-executor231'. [ 33.008535] netlink: 4 bytes leftover after parsing attributes in process `syz-executor231'. [ 33.019930] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 33.080393] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program executing program [ 33.126500] nbd: socks must be embedded in a SOCK_ITEM attr [ 33.134556] nbd: nbd0 already in use [ 33.186806] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 33.237164] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 33.285865] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program executing program [ 33.327353] nbd: socks must be embedded in a SOCK_ITEM attr [ 33.336822] nbd: nbd0 already in use [ 33.376768] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 33.436153] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 33.484521] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 33.526017] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program executing program [ 33.587013] nbd: socks must be embedded in a SOCK_ITEM attr [ 33.598597] nbd: nbd0 already in use [ 33.640576] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program [ 33.695095] nbd: socks must be embedded in a SOCK_ITEM attr [ 33.755720] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 33.807555] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program executing program executing program executing program [ 33.857417] nbd: socks must be embedded in a SOCK_ITEM attr [ 33.869057] nbd: nbd0 already in use [ 33.873018] nbd: nbd0 already in use [ 33.877029] nbd: nbd0 already in use [ 33.916165] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 33.965935] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program executing program [ 34.016082] nbd: socks must be embedded in a SOCK_ITEM attr [ 34.025583] nbd: nbd0 already in use executing program [ 34.068040] nbd: nbd0 already in use [ 34.075500] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 34.129447] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program executing program executing program executing program executing program [ 34.175529] nbd: socks must be embedded in a SOCK_ITEM attr [ 34.184449] nbd: nbd0 already in use [ 34.189387] nbd: nbd0 already in use [ 34.193276] nbd: nbd0 already in use [ 34.200415] nbd: nbd0 already in use [ 34.235796] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program [ 34.276491] nbd: socks must be embedded in a SOCK_ITEM attr [ 34.315619] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program [ 34.326107] nbd: nbd0 already in use [ 34.374127] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program executing program executing program [ 34.425389] nbd: socks must be embedded in a SOCK_ITEM attr [ 34.435616] nbd: nbd0 already in use [ 34.441498] nbd: nbd0 already in use executing program executing program [ 34.477719] nbd: nbd0 already in use [ 34.484559] nbd: socks must be embedded in a SOCK_ITEM attr [ 34.537813] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program executing program [ 34.596740] nbd: socks must be embedded in a SOCK_ITEM attr [ 34.607085] nbd: nbd0 already in use [ 34.644972] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program [ 34.707024] nbd: socks must be embedded in a SOCK_ITEM attr [ 34.757581] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program executing program executing program executing program executing program executing program [ 34.805337] nbd: socks must be embedded in a SOCK_ITEM attr [ 34.815857] nbd: nbd0 already in use [ 34.819951] nbd: nbd0 already in use [ 34.824739] nbd: nbd0 already in use [ 34.831549] nbd: nbd0 already in use [ 34.835838] nbd: nbd0 already in use [ 34.881154] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program [ 34.932084] nbd: socks must be embedded in a SOCK_ITEM attr [ 34.975227] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 35.025757] nbd: socks must be embedded in a SOCK_ITEM attr executing program [ 35.076873] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program executing program [ 35.134544] nbd: socks must be embedded in a SOCK_ITEM attr [ 35.145157] nbd: nbd0 already in use [ 35.201391] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program executing program [ 35.246488] nbd: socks must be embedded in a SOCK_ITEM attr [ 35.256746] nbd: nbd0 already in use [ 35.285325] nbd: socks must be embedded in a SOCK_ITEM attr executing program executing program executing program executing program [ 35.344895] nbd: socks must be embedded in a SOCK_ITEM attr [ 35.352809] nbd: nbd0 already in use [ 35.357131] nbd: nbd0 already in use executing program [ 35.404696] nbd: socks must be embedded in a SOCK_ITEM attr [ 35.414125] nbd: socks must be embedded in a SOCK_ITEM attr [ 35.459238] ================================================================== [ 35.466720] BUG: KASAN: use-after-free in refcount_dec_not_one+0x71/0x1d0 [ 35.473674] Read of size 4 at addr ffff8880b4d8c418 by task syz-executor231/8512 [ 35.481180] [ 35.482793] CPU: 0 PID: 8512 Comm: syz-executor231 Not tainted 4.19.197-syzkaller #0 [ 35.490649] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.500064] Call Trace: [ 35.502637] dump_stack+0x1fc/0x2ef [ 35.506247] print_address_description.cold+0x54/0x219 [ 35.511513] kasan_report_error.cold+0x8a/0x1b9 [ 35.516162] ? refcount_dec_not_one+0x71/0x1d0 [ 35.520725] kasan_report+0x8f/0xa0 [ 35.524350] ? refcount_dec_not_one+0x71/0x1d0 [ 35.528912] refcount_dec_not_one+0x71/0x1d0 [ 35.533303] ? refcount_dec_and_test_checked+0x20/0x20 [ 35.538562] ? nbd_config_put+0x5da/0x870 [ 35.542699] refcount_dec_and_mutex_lock+0x1c/0x80 [ 35.547608] nbd_genl_connect+0x11ee/0x1630 [ 35.551958] ? nbd_xmit_timeout+0x730/0x730 [ 35.556288] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 35.561465] ? validate_nla+0x270/0x820 [ 35.565420] ? nla_parse+0x1b2/0x290 [ 35.569116] genl_family_rcv_msg+0x642/0xc40 [ 35.573514] ? genl_rcv+0x40/0x40 [ 35.576970] ? genl_rcv_msg+0x12f/0x160 [ 35.580928] ? mutex_trylock+0x1a0/0x1a0 [ 35.584973] ? __radix_tree_lookup+0x216/0x370 [ 35.589545] genl_rcv_msg+0xbf/0x160 [ 35.593243] netlink_rcv_skb+0x160/0x440 [ 35.597285] ? genl_family_rcv_msg+0xc40/0xc40 [ 35.601849] ? netlink_ack+0xae0/0xae0 [ 35.605718] ? genl_rcv+0x15/0x40 [ 35.609270] genl_rcv+0x24/0x40 [ 35.612537] netlink_unicast+0x4d5/0x690 [ 35.616586] ? netlink_sendskb+0x110/0x110 [ 35.620806] ? _copy_from_iter_full+0x229/0x7c0 [ 35.625459] ? __phys_addr_symbol+0x2c/0x70 [ 35.629765] ? __check_object_size+0x17b/0x3e0 [ 35.634330] netlink_sendmsg+0x6bb/0xc40 [ 35.638392] ? aa_af_perm+0x230/0x230 [ 35.642173] ? nlmsg_notify+0x1a0/0x1a0 [ 35.646128] ? kernel_recvmsg+0x220/0x220 [ 35.650262] ? nlmsg_notify+0x1a0/0x1a0 [ 35.654235] sock_sendmsg+0xc3/0x120 [ 35.657930] ___sys_sendmsg+0x7bb/0x8e0 [ 35.661889] ? copy_msghdr_from_user+0x440/0x440 [ 35.666626] ? netlink_dump+0xc10/0xc10 [ 35.670648] ? nlmsg_notify+0x1a0/0x1a0 [ 35.674613] ? security_socket_recvmsg+0x8f/0xc0 [ 35.679353] ? __sys_recvfrom+0x2cd/0x3a0 [ 35.683480] ? __ia32_sys_send+0x100/0x100 [ 35.687716] ? __fdget+0x1a0/0x230 [ 35.691279] __x64_sys_sendmsg+0x132/0x220 [ 35.695624] ? __sys_sendmsg+0x1b0/0x1b0 [ 35.699684] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.705038] ? trace_hardirqs_off_caller+0x6e/0x210 [ 35.710037] ? do_syscall_64+0x21/0x620 [ 35.714003] do_syscall_64+0xf9/0x620 [ 35.717797] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.722969] RIP: 0033:0x440759 [ 35.726194] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 35.745080] RSP: 002b:00007ffc837e63c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.752768] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 0000000000440759 [ 35.760018] RDX: 0000000000000000 RSI: 0000000020000b40 RDI: 0000000000000003 [ 35.767276] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 35.774528] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000088ff [ 35.781796] R13: 00007ffc837e63dc R14: 00007ffc837e63f0 R15: 00007ffc837e63e0 [ 35.789068] [ 35.790673] Allocated by task 8499: [ 35.794284] kmem_cache_alloc_trace+0x12f/0x380 [ 35.798935] nbd_dev_add+0x44/0x890 [ 35.802540] nbd_genl_connect+0x488/0x1630 [ 35.806784] genl_family_rcv_msg+0x642/0xc40 [ 35.811179] genl_rcv_msg+0xbf/0x160 [ 35.814868] netlink_rcv_skb+0x160/0x440 [ 35.818905] genl_rcv+0x24/0x40 [ 35.822161] netlink_unicast+0x4d5/0x690 [ 35.826197] netlink_sendmsg+0x6bb/0xc40 [ 35.830238] sock_sendmsg+0xc3/0x120 [ 35.833929] ___sys_sendmsg+0x7bb/0x8e0 [ 35.837879] __x64_sys_sendmsg+0x132/0x220 [ 35.842093] do_syscall_64+0xf9/0x620 [ 35.845871] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.851050] [ 35.852654] Freed by task 8512: [ 35.855914] kfree+0xcc/0x210 [ 35.859000] nbd_put.part.0+0xfe/0x140 [ 35.862880] nbd_config_put+0x6a0/0x870 [ 35.866920] nbd_genl_connect+0x11bb/0x1630 [ 35.871224] genl_family_rcv_msg+0x642/0xc40 [ 35.875634] genl_rcv_msg+0xbf/0x160 [ 35.879328] netlink_rcv_skb+0x160/0x440 [ 35.883363] genl_rcv+0x24/0x40 [ 35.886619] netlink_unicast+0x4d5/0x690 [ 35.890657] netlink_sendmsg+0x6bb/0xc40 [ 35.894695] sock_sendmsg+0xc3/0x120 [ 35.898389] ___sys_sendmsg+0x7bb/0x8e0 [ 35.902341] __x64_sys_sendmsg+0x132/0x220 [ 35.906555] do_syscall_64+0xf9/0x620 [ 35.910336] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.915496] [ 35.917120] The buggy address belongs to the object at ffff8880b4d8c340 [ 35.917120] which belongs to the cache kmalloc-512 of size 512 [ 35.929766] The buggy address is located 216 bytes inside of [ 35.929766] 512-byte region [ffff8880b4d8c340, ffff8880b4d8c540) [ 35.941616] The buggy address belongs to the page: [ 35.946614] page:ffffea0002d36300 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff8880b4d8cac0 [ 35.956047] flags: 0xfff00000000100(slab) [ 35.960179] raw: 00fff00000000100 ffffea00028c9ec8 ffffea0002d15488 ffff88813bff0940 [ 35.968061] raw: ffff8880b4d8cac0 ffff8880b4d8c0c0 0000000100000002 0000000000000000 [ 35.975915] page dumped because: kasan: bad access detected [ 35.981598] [ 35.983204] Memory state around the buggy address: [ 35.988116] ffff8880b4d8c300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 35.995452] ffff8880b4d8c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.002787] >ffff8880b4d8c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.010122] ^ [ 36.014247] ffff8880b4d8c480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.021596] ffff8880b4d8c500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 36.028935] ================================================================== [ 36.036266] Disabling lock debugging due to kernel taint [ 36.042892] Kernel panic - not syncing: panic_on_warn set ... [ 36.042892] [ 36.050274] CPU: 0 PID: 8512 Comm: syz-executor231 Tainted: G B 4.19.197-syzkaller #0 [ 36.059537] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.068878] Call Trace: [ 36.071467] dump_stack+0x1fc/0x2ef [ 36.075092] panic+0x26a/0x50e [ 36.078283] ? __warn_printk+0xf3/0xf3 [ 36.082161] ? preempt_schedule_common+0x45/0xc0 [ 36.087098] ? ___preempt_schedule+0x16/0x18 [ 36.091483] ? trace_hardirqs_on+0x55/0x210 [ 36.095802] kasan_end_report+0x43/0x49 [ 36.099755] kasan_report_error.cold+0xa7/0x1b9 [ 36.104400] ? refcount_dec_not_one+0x71/0x1d0 [ 36.108963] kasan_report+0x8f/0xa0 [ 36.112583] ? refcount_dec_not_one+0x71/0x1d0 [ 36.117143] refcount_dec_not_one+0x71/0x1d0 [ 36.121619] ? refcount_dec_and_test_checked+0x20/0x20 [ 36.126875] ? nbd_config_put+0x5da/0x870 [ 36.131002] refcount_dec_and_mutex_lock+0x1c/0x80 [ 36.135909] nbd_genl_connect+0x11ee/0x1630 [ 36.140210] ? nbd_xmit_timeout+0x730/0x730 [ 36.144511] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 36.149679] ? validate_nla+0x270/0x820 [ 36.153628] ? nla_parse+0x1b2/0x290 [ 36.157320] genl_family_rcv_msg+0x642/0xc40 [ 36.161706] ? genl_rcv+0x40/0x40 [ 36.165135] ? genl_rcv_msg+0x12f/0x160 [ 36.169102] ? mutex_trylock+0x1a0/0x1a0 [ 36.173153] ? __radix_tree_lookup+0x216/0x370 [ 36.177714] genl_rcv_msg+0xbf/0x160 [ 36.181404] netlink_rcv_skb+0x160/0x440 [ 36.185442] ? genl_family_rcv_msg+0xc40/0xc40 [ 36.190015] ? netlink_ack+0xae0/0xae0 [ 36.193878] ? genl_rcv+0x15/0x40 [ 36.197308] genl_rcv+0x24/0x40 [ 36.200562] netlink_unicast+0x4d5/0x690 [ 36.204600] ? netlink_sendskb+0x110/0x110 [ 36.208811] ? _copy_from_iter_full+0x229/0x7c0 [ 36.213473] ? __phys_addr_symbol+0x2c/0x70 [ 36.217782] ? __check_object_size+0x17b/0x3e0 [ 36.222346] netlink_sendmsg+0x6bb/0xc40 [ 36.226385] ? aa_af_perm+0x230/0x230 [ 36.230161] ? nlmsg_notify+0x1a0/0x1a0 [ 36.234119] ? kernel_recvmsg+0x220/0x220 [ 36.238256] ? nlmsg_notify+0x1a0/0x1a0 [ 36.242210] sock_sendmsg+0xc3/0x120 [ 36.245958] ___sys_sendmsg+0x7bb/0x8e0 [ 36.249911] ? copy_msghdr_from_user+0x440/0x440 [ 36.254641] ? netlink_dump+0xc10/0xc10 [ 36.258592] ? nlmsg_notify+0x1a0/0x1a0 [ 36.262549] ? security_socket_recvmsg+0x8f/0xc0 [ 36.267283] ? __sys_recvfrom+0x2cd/0x3a0 [ 36.271408] ? __ia32_sys_send+0x100/0x100 [ 36.275621] ? __fdget+0x1a0/0x230 [ 36.279140] __x64_sys_sendmsg+0x132/0x220 [ 36.283349] ? __sys_sendmsg+0x1b0/0x1b0 [ 36.287392] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.292736] ? trace_hardirqs_off_caller+0x6e/0x210 [ 36.297734] ? do_syscall_64+0x21/0x620 [ 36.301685] do_syscall_64+0xf9/0x620 [ 36.305466] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.310633] RIP: 0033:0x440759 [ 36.313806] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 36.332683] RSP: 002b:00007ffc837e63c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 36.340368] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 0000000000440759 [ 36.347617] RDX: 0000000000000000 RSI: 0000000020000b40 RDI: 0000000000000003 [ 36.354863] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 36.362108] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000088ff [ 36.369356] R13: 00007ffc837e63dc R14: 00007ffc837e63f0 R15: 00007ffc837e63e0 [ 36.378071] Kernel Offset: disabled [ 36.381706] Rebooting in 86400 seconds..