[ 29.037330] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 29.046686] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 29.053691] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.064224] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 29.072025] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 29.161480] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 29.574790] can: request_module (can-proto-0) failed. [ 29.585416] can: request_module (can-proto-0) failed. [ 29.594420] can: request_module (can-proto-0) failed. [ 39.595975] unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1 Warning: Permanently added '10.128.10.43' (ECDSA) to the list of known hosts. [ 47.410208] netlink: 4 bytes leftover after parsing attributes in process `syz-executor938'. [ 47.475899] netlink: 4 bytes leftover after parsing attributes in process `syz-executor938'. [ 47.525869] netlink: 4 bytes leftover after parsing attributes in process `syz-executor938'. [ 47.574898] netlink: 4 bytes leftover after parsing attributes in process `syz-executor938'. [ 47.625105] netlink: 4 bytes leftover after parsing attributes in process `syz-executor938'. [ 47.684972] netlink: 4 bytes leftover after parsing attributes in process `syz-executor938'. [ 47.734899] netlink: 4 bytes leftover after parsing attributes in process `syz-executor938'. [ 47.775205] netlink: 4 bytes leftover after parsing attributes in process `syz-executor938'. [ 47.814926] netlink: 4 bytes leftover after parsing attributes in process `syz-executor938'. [ 47.874329] netlink: 4 bytes leftover after parsing attributes in process `syz-executor938'. [ 48.514416] ================================================================== [ 48.521884] BUG: KASAN: use-after-free in refcount_dec_not_one+0x67/0x70 [ 48.528712] Read of size 4 at addr ffff8880aa764d98 by task syz-executor938/8428 [ 48.536222] [ 48.537833] CPU: 1 PID: 8428 Comm: syz-executor938 Not tainted 4.14.267-syzkaller #0 [ 48.545694] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.555038] Call Trace: [ 48.557818] dump_stack+0x14b/0x1e7 [ 48.561436] ? refcount_dec_not_one+0x67/0x70 [ 48.565916] print_address_description.cold.6+0x9/0x1ca [ 48.571261] ? refcount_dec_not_one+0x67/0x70 [ 48.575735] kasan_report.cold.7+0x11a/0x2d3 [ 48.580242] __asan_report_load4_noabort+0x14/0x20 [ 48.585152] refcount_dec_not_one+0x67/0x70 [ 48.589451] refcount_dec_and_mutex_lock+0x17/0x50 [ 48.594715] nbd_put+0x1f/0x150 [ 48.597989] nbd_genl_connect+0xcde/0x1540 [ 48.602207] ? nbd_genl_disconnect+0x2c0/0x2c0 [ 48.606983] ? is_bpf_text_address+0x7d/0xe0 [ 48.611466] ? lock_acquire+0x17e/0x3e0 [ 48.615427] genl_family_rcv_msg+0x57f/0xfe0 [ 48.619813] ? genl_rcv+0x40/0x40 [ 48.623249] genl_rcv_msg+0xa7/0x140 [ 48.626939] netlink_rcv_skb+0x12f/0x3b0 [ 48.630987] ? genl_family_rcv_msg+0xfe0/0xfe0 [ 48.635555] ? netlink_ack+0xaa0/0xaa0 [ 48.639427] genl_rcv+0x23/0x40 [ 48.642858] netlink_unicast+0x40b/0x610 [ 48.647680] ? netlink_sendskb+0x40/0x40 [ 48.651735] ? import_iovec+0x96/0x420 [ 48.655604] netlink_sendmsg+0x651/0xc10 [ 48.659642] ? nlmsg_notify+0x140/0x140 [ 48.663610] ? nlmsg_notify+0x140/0x140 [ 48.667559] sock_sendmsg+0xac/0xf0 [ 48.671161] ___sys_sendmsg+0x625/0x920 [ 48.675199] ? netlink_sendskb+0x40/0x40 [ 48.679236] ? copy_msghdr_from_user+0x440/0x440 [ 48.683992] ? netlink_sendmsg+0x8c6/0xc10 [ 48.688216] ? lock_downgrade+0x7f0/0x7f0 [ 48.692351] ? netlink_dump+0x9b0/0x9b0 [ 48.696487] ? sock_recvmsg+0xb7/0xf0 [ 48.700265] ? SyS_recvfrom+0x2ef/0x380 [ 48.704217] ? SyS_send+0x20/0x20 [ 48.707651] ? vm_insert_mixed_mkwrite+0x10/0x10 [ 48.712554] ? __fdget+0xe/0x10 [ 48.715807] ? sockfd_lookup_light+0x1c/0x160 [ 48.720275] __sys_sendmsg+0xc1/0x140 [ 48.724055] ? SyS_shutdown+0x180/0x180 [ 48.728014] ? do_syscall_64+0x4c/0x5b0 [ 48.731960] ? __sys_sendmsg+0x140/0x140 [ 48.735995] SyS_sendmsg+0xd/0x20 [ 48.739430] do_syscall_64+0x1c7/0x5b0 [ 48.743306] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 48.748307] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 48.753508] RIP: 0033:0x7f6ad1285949 [ 48.757356] RSP: 002b:00007ffffeecb908 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 48.765069] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 00007f6ad1285949 [ 48.772314] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 48.779567] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 48.786822] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000bbe8 [ 48.794079] R13: 00007ffffeecb91c R14: 00007ffffeecb930 R15: 00007ffffeecb920 [ 48.801438] [ 48.803072] Allocated by task 8427: [ 48.806686] save_stack_trace+0x16/0x20 [ 48.810808] kasan_kmalloc.part.1+0x62/0xf0 [ 48.815398] kasan_kmalloc+0xaf/0xc0 [ 48.819302] kmem_cache_alloc_trace+0x152/0x3f0 [ 48.823955] nbd_dev_add+0x8a/0x7c0 [ 48.827564] nbd_genl_connect+0x394/0x1540 [ 48.831892] genl_family_rcv_msg+0x57f/0xfe0 [ 48.836388] genl_rcv_msg+0xa7/0x140 [ 48.840204] netlink_rcv_skb+0x12f/0x3b0 [ 48.844249] genl_rcv+0x23/0x40 [ 48.847516] netlink_unicast+0x40b/0x610 [ 48.851581] netlink_sendmsg+0x651/0xc10 [ 48.855626] sock_sendmsg+0xac/0xf0 [ 48.859319] ___sys_sendmsg+0x625/0x920 [ 48.863265] __sys_sendmsg+0xc1/0x140 [ 48.867069] SyS_sendmsg+0xd/0x20 [ 48.870762] do_syscall_64+0x1c7/0x5b0 [ 48.874633] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 48.879879] [ 48.881507] Freed by task 8428: [ 48.884973] save_stack_trace+0x16/0x20 [ 48.888936] kasan_slab_free+0xab/0x190 [ 48.893085] kfree+0xcc/0x270 [ 48.896257] nbd_put+0x113/0x150 [ 48.899600] nbd_config_put+0x4bf/0x780 [ 48.903649] nbd_genl_connect+0xcbe/0x1540 [ 48.908048] genl_family_rcv_msg+0x57f/0xfe0 [ 48.912526] genl_rcv_msg+0xa7/0x140 [ 48.916227] netlink_rcv_skb+0x12f/0x3b0 [ 48.920793] genl_rcv+0x23/0x40 [ 48.924084] netlink_unicast+0x40b/0x610 [ 48.928124] netlink_sendmsg+0x651/0xc10 [ 48.932253] sock_sendmsg+0xac/0xf0 [ 48.935970] ___sys_sendmsg+0x625/0x920 [ 48.939973] __sys_sendmsg+0xc1/0x140 [ 48.943834] SyS_sendmsg+0xd/0x20 [ 48.947276] do_syscall_64+0x1c7/0x5b0 [ 48.951151] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 48.956312] [ 48.957917] The buggy address belongs to the object at ffff8880aa764cc0 [ 48.957917] which belongs to the cache kmalloc-512 of size 512 [ 48.970577] The buggy address is located 216 bytes inside of [ 48.970577] 512-byte region [ffff8880aa764cc0, ffff8880aa764ec0) [ 48.982437] The buggy address belongs to the page: [ 48.987448] page:ffffea0002a9d900 count:1 mapcount:0 mapping:ffff8880aa764040 index:0x0 [ 48.996002] flags: 0xfff00000000100(slab) [ 49.000141] raw: 00fff00000000100 ffff8880aa764040 0000000000000000 0000000100000006 [ 49.008116] raw: ffffea0002b0b820 ffffea0002a30620 ffff88813fe50940 0000000000000000 [ 49.015974] page dumped because: kasan: bad access detected [ 49.021673] [ 49.023279] Memory state around the buggy address: [ 49.028297] ffff8880aa764c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 49.035646] ffff8880aa764d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.042998] >ffff8880aa764d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.050351] ^ [ 49.054477] ffff8880aa764e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.061946] ffff8880aa764e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 49.069286] ================================================================== [ 49.076623] Disabling lock debugging due to kernel taint [ 49.086287] Kernel panic - not syncing: panic_on_warn set ... [ 49.086287] [ 49.093653] CPU: 0 PID: 8428 Comm: syz-executor938 Tainted: G B 4.14.267-syzkaller #0 [ 49.102744] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.112233] Call Trace: [ 49.114805] dump_stack+0x14b/0x1e7 [ 49.118430] ? refcount_dec_not_one+0x67/0x70 [ 49.122918] panic+0x1b0/0x358 [ 49.126090] ? add_taint.cold.4+0x11/0x11 [ 49.130332] ? ___preempt_schedule+0x16/0x18 [ 49.134847] ? refcount_dec_not_one+0x67/0x70 [ 49.139318] kasan_end_report+0x47/0x4f [ 49.143283] kasan_report.cold.7+0x76/0x2d3 [ 49.147594] __asan_report_load4_noabort+0x14/0x20 [ 49.152501] refcount_dec_not_one+0x67/0x70 [ 49.156798] refcount_dec_and_mutex_lock+0x17/0x50 [ 49.161837] nbd_put+0x1f/0x150 [ 49.165095] nbd_genl_connect+0xcde/0x1540 [ 49.169311] ? nbd_genl_disconnect+0x2c0/0x2c0 [ 49.173869] ? is_bpf_text_address+0x7d/0xe0 [ 49.178250] ? lock_acquire+0x17e/0x3e0 [ 49.182202] genl_family_rcv_msg+0x57f/0xfe0 [ 49.186699] ? genl_rcv+0x40/0x40 [ 49.190144] genl_rcv_msg+0xa7/0x140 [ 49.193846] netlink_rcv_skb+0x12f/0x3b0 [ 49.197989] ? genl_family_rcv_msg+0xfe0/0xfe0 [ 49.202561] ? netlink_ack+0xaa0/0xaa0 [ 49.206426] genl_rcv+0x23/0x40 [ 49.209677] netlink_unicast+0x40b/0x610 [ 49.213720] ? netlink_sendskb+0x40/0x40 [ 49.217757] ? import_iovec+0x96/0x420 [ 49.221623] netlink_sendmsg+0x651/0xc10 [ 49.225667] ? nlmsg_notify+0x140/0x140 [ 49.229617] ? nlmsg_notify+0x140/0x140 [ 49.233562] sock_sendmsg+0xac/0xf0 [ 49.237180] ___sys_sendmsg+0x625/0x920 [ 49.241225] ? netlink_sendskb+0x40/0x40 [ 49.245392] ? copy_msghdr_from_user+0x440/0x440 [ 49.250302] ? netlink_sendmsg+0x8c6/0xc10 [ 49.254515] ? lock_downgrade+0x7f0/0x7f0 [ 49.258644] ? netlink_dump+0x9b0/0x9b0 [ 49.262712] ? sock_recvmsg+0xb7/0xf0 [ 49.266493] ? SyS_recvfrom+0x2ef/0x380 [ 49.270457] ? SyS_send+0x20/0x20 [ 49.273887] ? vm_insert_mixed_mkwrite+0x10/0x10 [ 49.278618] ? __fdget+0xe/0x10 [ 49.281943] ? sockfd_lookup_light+0x1c/0x160 [ 49.286422] __sys_sendmsg+0xc1/0x140 [ 49.290199] ? SyS_shutdown+0x180/0x180 [ 49.294161] ? do_syscall_64+0x4c/0x5b0 [ 49.298127] ? __sys_sendmsg+0x140/0x140 [ 49.302168] SyS_sendmsg+0xd/0x20 [ 49.305596] do_syscall_64+0x1c7/0x5b0 [ 49.309473] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.314291] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 49.319452] RIP: 0033:0x7f6ad1285949 [ 49.323136] RSP: 002b:00007ffffeecb908 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 49.330817] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 00007f6ad1285949 [ 49.338172] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 49.345413] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 49.352658] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000bbe8 [ 49.359921] R13: 00007ffffeecb91c R14: 00007ffffeecb930 R15: 00007ffffeecb920 [ 49.367375] Kernel Offset: disabled [ 49.370988] Rebooting in 86400 seconds..