netlink: 12 bytes leftover after parsing attributes in process `syz.0.309'. ------------[ cut here ]------------ refcount_t: saturated; leaking memory. WARNING: lib/refcount.c:19 at 0x0, CPU#1: syz.0.309/7322 Modules linked in: CPU: 1 UID: 0 PID: 7322 Comm: syz.0.309 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:refcount_warn_saturate+0xc5/0x110 lib/refcount.c:19 Code: 01 99 fd 0a 67 48 0f b9 3a eb 37 e8 e5 c4 33 fd 48 8d 3d fe 98 fd 0a 67 48 0f b9 3a eb 24 e8 d2 c4 33 fd 48 8d 3d fb 98 fd 0a <67> 48 0f b9 3a eb 11 e8 bf c4 33 fd 48 8d 3d f8 98 fd 0a 67 48 0f RSP: 0018:ffffc9000bc27528 EFLAGS: 00010293 RAX: ffffffff848dee5e RBX: 0000000000000000 RCX: ffff888032fddb80 RDX: 0000000000000000 RSI: ffffffff8e6837c0 RDI: ffffffff8f8b8760 RBP: ffffc9000bc27648 R08: ffff888032fddb80 R09: 0000000000000005 R10: 0000000000000004 R11: 0000000000000000 R12: ffff8880647326c0 R13: ffff888064732640 R14: ffff8880647326c0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff888125f4f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000037000 CR3: 000000005d576000 CR4: 00000000003526f0 Call Trace: __refcount_add_not_zero include/linux/refcount.h:187 [inline] refcount_add_not_zero include/linux/refcount.h:212 [inline] __vma_enter_locked+0x62e/0x6a0 mm/mmap_lock.c:69 __vma_start_write+0x23/0x140 mm/mmap_lock.c:96 vma_start_write include/linux/mmap_lock.h:213 [inline] free_pgtables+0x55d/0x9d0 mm/memory.c:398 exit_mmap+0x431/0xb10 mm/mmap.c:1288 __mmput+0x118/0x430 kernel/fork.c:1173 exit_mm+0x1da/0x2c0 kernel/exit.c:581 do_exit+0x658/0x2310 kernel/exit.c:959 do_group_exit+0x21c/0x2d0 kernel/exit.c:1112 get_signal+0x1285/0x1340 kernel/signal.c:3034 arch_do_signal_or_restart+0x9a/0x7a0 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline] exit_to_user_mode_loop+0x87/0x4f0 kernel/entry/common.c:75 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] do_syscall_64+0x2e3/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f9fed78f749 Code: Unable to access opcode bytes at 0x7f9fed78f71f. RSP: 002b:00007f9fee5ec038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: 0000000000000028 RBX: 00007f9fed9e6180 RCX: 00007f9fed78f749 RDX: 0000000000000000 RSI: 0000200000000700 RDI: 0000000000000003 RBP: 00007f9fed813f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f9fed9e6218 R14: 00007f9fed9e6180 R15: 00007fff8b778d68 ---------------- Code disassembly (best guess): 0: 01 99 fd 0a 67 48 add %ebx,0x48670afd(%rcx) 6: 0f b9 3a ud1 (%rdx),%edi 9: eb 37 jmp 0x42 b: e8 e5 c4 33 fd call 0xfd33c4f5 10: 48 8d 3d fe 98 fd 0a lea 0xafd98fe(%rip),%rdi # 0xafd9915 17: 67 48 0f b9 3a ud1 (%edx),%rdi 1c: eb 24 jmp 0x42 1e: e8 d2 c4 33 fd call 0xfd33c4f5 23: 48 8d 3d fb 98 fd 0a lea 0xafd98fb(%rip),%rdi # 0xafd9925 * 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 2f: eb 11 jmp 0x42 31: e8 bf c4 33 fd call 0xfd33c4f5 36: 48 8d 3d f8 98 fd 0a lea 0xafd98f8(%rip),%rdi # 0xafd9935 3d: 67 addr32 3e: 48 rex.W 3f: 0f .byte 0xf