Warning: Permanently added '10.128.1.127' (ECDSA) to the list of known hosts. [ 47.949724] netlink: 4 bytes leftover after parsing attributes in process `syz-executor290'. [ 48.014675] netlink: 4 bytes leftover after parsing attributes in process `syz-executor290'. [ 48.073917] netlink: 4 bytes leftover after parsing attributes in process `syz-executor290'. [ 48.123400] netlink: 4 bytes leftover after parsing attributes in process `syz-executor290'. [ 48.173134] netlink: 4 bytes leftover after parsing attributes in process `syz-executor290'. [ 48.223757] netlink: 4 bytes leftover after parsing attributes in process `syz-executor290'. [ 48.283378] netlink: 4 bytes leftover after parsing attributes in process `syz-executor290'. [ 48.333101] netlink: 4 bytes leftover after parsing attributes in process `syz-executor290'. [ 48.393324] netlink: 4 bytes leftover after parsing attributes in process `syz-executor290'. [ 48.443712] netlink: 4 bytes leftover after parsing attributes in process `syz-executor290'. [ 49.283362] ================================================================== [ 49.290862] BUG: KASAN: use-after-free in ex_handler_refcount+0x141/0x180 [ 49.298117] Write of size 4 at addr ffff8880aa7fd658 by task systemd-udevd/8494 [ 49.305562] [ 49.307200] CPU: 0 PID: 8494 Comm: systemd-udevd Not tainted 4.14.275-syzkaller #0 [ 49.314892] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.324332] Call Trace: [ 49.326911] dump_stack+0x14b/0x1e7 [ 49.330530] ? ex_handler_refcount+0x141/0x180 [ 49.335105] print_address_description.cold.6+0x9/0x1ca [ 49.340453] ? ex_handler_refcount+0x141/0x180 [ 49.345013] kasan_report.cold.7+0x11a/0x2d3 [ 49.349517] __asan_report_store4_noabort+0x17/0x20 [ 49.354519] ex_handler_refcount+0x141/0x180 [ 49.358997] ? ex_handler_clear_fs+0xb0/0xb0 [ 49.363382] fixup_exception+0x7c/0xc0 [ 49.367249] ? mark_held_locks+0xc7/0x130 [ 49.371392] do_trap+0x62/0x240 [ 49.374666] do_error_trap+0x159/0x310 [ 49.378532] ? math_error+0x300/0x300 [ 49.382314] ? flags_string.cold.10+0x1a14/0x6895 [ 49.387146] ? __ww_mutex_wakeup_for_backoff+0x250/0x250 [ 49.392680] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.397499] do_invalid_op+0x1b/0x20 [ 49.401280] invalid_op+0x1b/0x40 [ 49.404709] RIP: 0010:flags_string.cold.10+0x1a14/0x6895 [ 49.410160] RSP: 0018:ffff88809d8f7c30 EFLAGS: 00010296 [ 49.415592] RAX: 0000000000000000 RBX: ffff8880aa7fd658 RCX: ffff8880aa7fd658 [ 49.422859] RDX: ffffed1013b1ef5a RSI: 0000000000000003 RDI: ffffffff8afb6bc0 [ 49.430196] RBP: ffff88809d8f7c48 R08: 0000000000000001 R09: 0000000000000000 [ 49.437551] R10: ffff88809d8f7c20 R11: ffff88809d8f7b97 R12: 0000000000000000 [ 49.444809] R13: ffffffff895129c0 R14: ffff88808821a840 R15: ffff88808821a900 [ 49.452084] nbd_put+0x1f/0x150 [ 49.455354] nbd_release+0xe1/0x140 [ 49.458961] __blkdev_put+0x621/0x7c0 [ 49.462737] ? __mutex_unlock_slowpath+0x7d/0x7e0 [ 49.467558] ? bd_set_size+0xb0/0xb0 [ 49.471247] ? _raw_spin_unlock+0x2c/0x50 [ 49.475375] blkdev_put+0x73/0x470 [ 49.478898] blkdev_close+0x88/0xd0 [ 49.482680] __fput+0x232/0x740 [ 49.485945] ? _raw_spin_unlock_irq+0x27/0x90 [ 49.490449] ____fput+0x9/0x10 [ 49.493712] task_work_run+0xe5/0x170 [ 49.497502] exit_to_usermode_loop+0x14a/0x190 [ 49.502060] do_syscall_64+0x416/0x5b0 [ 49.505930] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.510749] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 49.515921] RIP: 0033:0x7fcb2c9bf270 [ 49.519786] RSP: 002b:00007ffcaa7cb8e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 49.527705] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fcb2c9bf270 [ 49.534949] RDX: 000000000aba9500 RSI: 0000000000000000 RDI: 0000000000000007 [ 49.542378] RBP: 00007fcb2d879710 R08: 0000000000000045 R09: 0000000000000018 [ 49.549639] R10: 000055c84cef4e38 R11: 0000000000000246 R12: 0000000000000000 [ 49.557424] R13: 000055c84cf03700 R14: 0000000000000003 R15: 000000000000000e [ 49.564698] [ 49.566300] Allocated by task 8470: [ 49.569919] save_stack_trace+0x16/0x20 [ 49.573965] kasan_kmalloc.part.1+0x62/0xf0 [ 49.578378] kasan_kmalloc+0xaf/0xc0 [ 49.582154] kmem_cache_alloc_trace+0x152/0x3f0 [ 49.586806] nbd_dev_add+0x8a/0x7c0 [ 49.590412] nbd_genl_connect+0x394/0x1540 [ 49.594623] genl_family_rcv_msg+0x57f/0xfe0 [ 49.599009] genl_rcv_msg+0xa7/0x140 [ 49.602699] netlink_rcv_skb+0x12f/0x3b0 [ 49.606826] genl_rcv+0x23/0x40 [ 49.610197] netlink_unicast+0x40b/0x610 [ 49.614241] netlink_sendmsg+0x651/0xc10 [ 49.618277] sock_sendmsg+0xac/0xf0 [ 49.621967] ___sys_sendmsg+0x625/0x920 [ 49.625914] __sys_sendmsg+0xc1/0x140 [ 49.629693] SyS_sendmsg+0xd/0x20 [ 49.633128] do_syscall_64+0x1c7/0x5b0 [ 49.636996] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 49.642156] [ 49.643764] Freed by task 8483: [ 49.647028] save_stack_trace+0x16/0x20 [ 49.650998] kasan_slab_free+0xab/0x190 [ 49.655102] kfree+0xcc/0x270 [ 49.658279] nbd_put+0x113/0x150 [ 49.661620] nbd_genl_connect+0xcde/0x1540 [ 49.665834] genl_family_rcv_msg+0x57f/0xfe0 [ 49.670431] genl_rcv_msg+0xa7/0x140 [ 49.674296] netlink_rcv_skb+0x12f/0x3b0 [ 49.678343] genl_rcv+0x23/0x40 [ 49.681595] netlink_unicast+0x40b/0x610 [ 49.685632] netlink_sendmsg+0x651/0xc10 [ 49.689672] sock_sendmsg+0xac/0xf0 [ 49.693276] ___sys_sendmsg+0x625/0x920 [ 49.697223] __sys_sendmsg+0xc1/0x140 [ 49.701024] SyS_sendmsg+0xd/0x20 [ 49.704452] do_syscall_64+0x1c7/0x5b0 [ 49.708494] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 49.713652] [ 49.715263] The buggy address belongs to the object at ffff8880aa7fd580 [ 49.715263] which belongs to the cache kmalloc-512 of size 512 [ 49.728080] The buggy address is located 216 bytes inside of [ 49.728080] 512-byte region [ffff8880aa7fd580, ffff8880aa7fd780) [ 49.740032] The buggy address belongs to the page: [ 49.745137] page:ffffea0002a9ff40 count:1 mapcount:0 mapping:ffff8880aa7fd080 index:0x0 [ 49.753442] flags: 0xfff00000000100(slab) [ 49.757570] raw: 00fff00000000100 ffff8880aa7fd080 0000000000000000 0000000100000006 [ 49.765440] raw: ffffea0002ac8160 ffffea0002aa9d60 ffff88813fe50940 0000000000000000 [ 49.773311] page dumped because: kasan: bad access detected [ 49.779001] [ 49.780611] Memory state around the buggy address: [ 49.785597] ffff8880aa7fd500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.792933] ffff8880aa7fd580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.800361] >ffff8880aa7fd600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.807708] ^ [ 49.814061] ffff8880aa7fd680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.821412] ffff8880aa7fd700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.828941] ================================================================== [ 49.836283] Disabling lock debugging due to kernel taint [ 49.855911] Kernel panic - not syncing: panic_on_warn set ... [ 49.855911] [ 49.863293] CPU: 1 PID: 8494 Comm: systemd-udevd Tainted: G B 4.14.275-syzkaller #0 [ 49.872190] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.881601] Call Trace: [ 49.884163] dump_stack+0x14b/0x1e7 [ 49.887768] ? ex_handler_refcount+0x141/0x180 [ 49.892329] panic+0x1b0/0x358 [ 49.895492] ? add_taint.cold.4+0x11/0x11 [ 49.899610] ? ___preempt_schedule+0x16/0x18 [ 49.904074] ? ex_handler_refcount+0x141/0x180 [ 49.908647] kasan_end_report+0x47/0x4f [ 49.912691] kasan_report.cold.7+0x76/0x2d3 [ 49.916997] __asan_report_store4_noabort+0x17/0x20 [ 49.921990] ex_handler_refcount+0x141/0x180 [ 49.926373] ? ex_handler_clear_fs+0xb0/0xb0 [ 49.930878] fixup_exception+0x7c/0xc0 [ 49.934831] ? mark_held_locks+0xc7/0x130 [ 49.938958] do_trap+0x62/0x240 [ 49.942216] do_error_trap+0x159/0x310 [ 49.946075] ? math_error+0x300/0x300 [ 49.949941] ? flags_string.cold.10+0x1a14/0x6895 [ 49.954938] ? __ww_mutex_wakeup_for_backoff+0x250/0x250 [ 49.960372] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.965199] do_invalid_op+0x1b/0x20 [ 49.968972] invalid_op+0x1b/0x40 [ 49.972482] RIP: 0010:flags_string.cold.10+0x1a14/0x6895 [ 49.978035] RSP: 0018:ffff88809d8f7c30 EFLAGS: 00010296 [ 49.983551] RAX: 0000000000000000 RBX: ffff8880aa7fd658 RCX: ffff8880aa7fd658 [ 49.990801] RDX: ffffed1013b1ef5a RSI: 0000000000000003 RDI: ffffffff8afb6bc0 [ 49.998136] RBP: ffff88809d8f7c48 R08: 0000000000000001 R09: 0000000000000000 [ 50.005384] R10: ffff88809d8f7c20 R11: ffff88809d8f7b97 R12: 0000000000000000 [ 50.012739] R13: ffffffff895129c0 R14: ffff88808821a840 R15: ffff88808821a900 [ 50.019996] nbd_put+0x1f/0x150 [ 50.023423] nbd_release+0xe1/0x140 [ 50.027025] __blkdev_put+0x621/0x7c0 [ 50.030804] ? __mutex_unlock_slowpath+0x7d/0x7e0 [ 50.035637] ? bd_set_size+0xb0/0xb0 [ 50.039514] ? _raw_spin_unlock+0x2c/0x50 [ 50.043649] blkdev_put+0x73/0x470 [ 50.047245] blkdev_close+0x88/0xd0 [ 50.050842] __fput+0x232/0x740 [ 50.054091] ? _raw_spin_unlock_irq+0x27/0x90 [ 50.058962] ____fput+0x9/0x10 [ 50.062150] task_work_run+0xe5/0x170 [ 50.065929] exit_to_usermode_loop+0x14a/0x190 [ 50.070643] do_syscall_64+0x416/0x5b0 [ 50.074624] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.079438] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 50.084598] RIP: 0033:0x7fcb2c9bf270 [ 50.088301] RSP: 002b:00007ffcaa7cb8e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 50.096076] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fcb2c9bf270 [ 50.103338] RDX: 000000000aba9500 RSI: 0000000000000000 RDI: 0000000000000007 [ 50.110582] RBP: 00007fcb2d879710 R08: 0000000000000045 R09: 0000000000000018 [ 50.117828] R10: 000055c84cef4e38 R11: 0000000000000246 R12: 0000000000000000 [ 50.125085] R13: 000055c84cf03700 R14: 0000000000000003 R15: 000000000000000e [ 50.132609] Kernel Offset: disabled [ 50.136316] Rebooting in 86400 seconds..